from:"Holger Levsen"

Bug#1071466: gpg-from-sq: clear-sign failed: Signing key maps to different keys

2024-05-19 Thread Holger Levsen

Package: gpg-from-sq
Version: 0.8.0-5
Severity: normal

Dear Maintainer ;)

when trying to upload I got this failure:

gpg: /tmp/debsign.ctzWuMYi/rust-sequoia-directories_0.1.0-1.dsc: clear-sign 
failed: Signing key hol...@debian.org maps to 2 different keys: 
["480E51BAFB08CB4175CC91B15072D036AC583520", 
"B8BF54137B09D35CF026FE9D091AB856069AAA1C"]
debsign: gpg error occurred!  Aborting

I suppose this is not a rare configuration.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

It ain't no revolution, just because you can dance to it.


signature.asc
Description: PGP signature

Bug#1069322: diffoscope crashes when trying to compare unreproducible src:dasel build artifacts

2024-05-14 Thread Holger Levsen

On Tue, May 14, 2024 at 11:43:29AM +0100, Chris Lamb wrote:
> Ah, I was hoping that the systemd slice apparatus would be able to
> contain any traceback, but now that I think of it, being OOM-killed is
> not quite the same as CPython-level crash (and thus traceback).

:)
 
> > https://tests.reproducible-builds.org/debian/artifacts/r00t-me/trixie_i386_dasel_tmp-kqFaQ/
> > is maybe working as in crashing for you?
> 
> Alas, this works for me and does not crash. I suppose the next thing
> might be to try and run with --debug? That way, we might be able to
> determine which file, comparator or external tool was being run when
> diffoscope invoked the ire of the oom-killer.

I'm not sure how --debug output should survive, but you mean just running
diffoscope with an added --debug option?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The average US president has been charged with 2 felonies: #45 with 91 and
the others with 0.


signature.asc
Description: PGP signature

Bug#1069322: diffoscope crashes when trying to compare unreproducible src:dasel build artifacts

2024-05-14 Thread Holger Levsen

On Wed, May 08, 2024 at 03:07:00PM +0100, Chris Lamb wrote:
> Hm, I can't seem to reproduce the crash with these files. In the first
> instance, can you paste a traceback or similar of the crash in
> question? Maybe it is fixable just from that without having to find
> and upload more files, etc.

I don't have a traceback as the oom-kill also kills the surrounding
processes...

May 13 20:45:41 jenkins kernel: 
oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=/,mems_allowed=0,oom_memcg=/user.slice/user-103.slice/user@103.service/rb.slice,task_memcg=/user.slice/user-103.slice/user@103.service/rb.slice/rb-build.slice/rb-build-diffoscope.slice/rb-diffoscope-i386_1-26686.service,task=diffoscope,pid=4117661,uid=103
May 13 20:45:41 jenkins kernel: Memory cgroup out of memory: Killed process 
4117661 (diffoscope) total-vm:218023820kB, anon-rss:86849224kB, 
file-rss:40448kB, shmem-rss:0kB, UID:103 pgtables:425080kB oom_score_adj:200
May 13 20:45:41 jenkins systemd[1]: user@103.service: A process of this unit 
has been killed by the OOM killer.
May 13 20:45:41 jenkins systemd[1620]: rb-diffoscope-i386_1-26686.service: A 
process of this unit has been killed by the OOM killer.

is basically all I see.

https://tests.reproducible-builds.org/debian/artifacts/r00t-me/trixie_i386_dasel_tmp-kqFaQ/
is maybe working as in crashing for you?

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

https://showyourstripes.info

signature.asc
Description: PGP signature

Bug#966621: Make /tmp/ a tmpfs and cleanup /var/tmp/ on a timer by default [was: Re: systemd: tmpfiles.d not cleaning /var/tmp by default]

2024-05-06 Thread Holger Levsen

clone 966621 -1
reassign -1 release-notes
thanks

On Mon, May 06, 2024 at 10:40:00AM +0200, Michael Biebl wrote:
> We have two separate issues here:
> 
> a/ /tmp-on-tmpfs
> b/ time based clean-up of /tmp and /var/tmp
> 
> I think it makes sense to discuss/handle those separately.

very much agreed. a.) is mostly "just" a /tmp size issue but b.) can introduce
interesting unforseen breakages for long running stuff.



-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

“I'll tell you what freedom is to me No fear.” (Nina Simone)


signature.asc
Description: PGP signature

Bug#1069934: 4.9.2. The dak ls utility should mention rmadison

2024-04-27 Thread Holger Levsen

control: severity -1 wishlist
thanks

Hi Bill,

On Sat, Apr 27, 2024 at 12:11:21PM +0200, Bill Allombert wrote:
> 4.9.2. The dak ls utility
> could mention rmadison from devscripts
> that does not require to log to ftp-master.debian.org.

yes. patches, commits & pushes welcome.

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

20230709: Today was the warmest day on earth in 125,000 years. Today was also
the day with the most planes in the air at one time ever in history. By the time
you read this both of these records have probably been broken.

signature.asc
Description: PGP signature

Bug#1069853: pbuilder: add support for '--debootstrap mmdebstrap'

2024-04-25 Thread Holger Levsen

Package: pbuilder
Version: 0.231
Severity: wishlist

Dear Maintainer,

please add support for '--debootstrap mmdebstrap'.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

figures don't lie, but liars figure.


signature.asc
Description: PGP signature

Bug#1069727: libsequoia-octopus-librnp: Thunderbird integration autopkgtests

2024-04-25 Thread Holger Levsen

On Tue, Apr 23, 2024 at 10:02:13AM -0400, Daniel Kahn Gillmor wrote:
> It would be great to have an autopkgtest that confirms that it actually
> interoperates with Thunderbird as expected.
[...] 
> Perhaps upstream could help us assemble a comparable test that would run
> reliably in ci.debian.org.

upstream pointed me to 
https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp/-/pipelines/1258177075 
and said "note jobs in the tb_test column", which at least is something
in that direction, though I think eg
https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp/-/jobs/6656045653
(1st link from that 1st url in that column mentioned above) is not
really easily comprehensible and I would also love to see something with
screenshots (and a video) where one can see thunderbird started,
email being written, pgp icon clicked, etc, as I've seen being done
eg with openqa.

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The past is over.

signature.asc
Description: PGP signature

Bug#1069242: official bookworm-backports of rust packages unlikely

2024-04-25 Thread Holger Levsen

control: tags -1 + wontfix

hi Jérôme,

backports of rust packages at least currently are very unlikely, because
one cannot simply backport one package plus one or two libraries maybe,
or 5 libraries, but instead one would need to backport 
src:rust-sequoia-octopus-librnp
which would need around 10 other src:rust-sequoia* packages, which 
then need a 100 (or 200?) or so other src:rust* packages backported and
then these backports (besides being a huge effort already) need to be
maintained until after one year of the release of trixie, which translates
to more backports of these hundreds of packages plus any new dependencies...

So right now I don't see *this* happen, sorry.

OTOH, if the unstable libsequoia-octopus-librnp binary package works for you
on bookworm, it's trivial to put it in a local apt repo and be done. :)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Stop saying that we are all in the same boat.
We’re all in the same storm. But we’re not all in the same boat.


signature.asc
Description: PGP signature

Bug#1069686: libsequoia-octopus-librnp: postinst script Syntax error: "fi" unexpected

2024-04-22 Thread Holger Levsen

On Mon, Apr 22, 2024 at 02:41:44PM -0400, Daniel Kahn Gillmor wrote:
> /var/lib/dpkg/tmp.ci/preinst: 12: Syntax error: "fi" unexpected (expecting 
> "then")
> dpkg: error processing archive 
> /tmp/apt-dpkg-install-aFNmwO/1-libsequoia-octopus-librnp_1.8.1-3_amd64.deb 
> (--unpack):
>  new libsequoia-octopus-librnp package pre-installation script subprocess 
> returned error exit status 2

fixed in git.

> Please try at least installing and uninstalling the package before
> pushing it into unstable!

the change seems innocent enough... (I just wasnt expected the different
formatting styles...)

> This also makes me wonder whether we should be doing anything in an
> autopkgtest kind of way for this package.  It'd be great to get some
> more automated confirmation that the things are working as expected
> before we inflict them on the rest of the debian ecosystem :P

the irony is: the autopkg tests for the package had failed which I blamed
on unstables unstableness these days, so I reviewed the diff once more,
(again) didnt notice the introduced bug and did a source only upload,
because the change were tiny... :/

to me this is more an argument for unstable-untested, or testing maybe.

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

20230709: Today was the warmest day on earth in 125,000 years. Today was also
the day with the most planes in the air at one time ever in history. By the time
you read this both of these records have probably been broken.

signature.asc
Description: PGP signature

Bug#1069593: libsequoia-octopus-librnp: dpkg-divert in preinst doesn't happen on upgrade

2024-04-22 Thread Holger Levsen

hi dkg,

thanks for these bugreports! I've commited fixes and am doing test
builds now and will upload shortly.

On Sun, Apr 21, 2024 at 04:29:10AM -0400, Daniel Kahn Gillmor wrote:
> Why does the package exclude the diversion when preinst runs on upgrade?

I guess because I used a bad example...
 
> i see the same issue in the use of dpkg-divert in gpg-from-sq and
> gpgv-from-sq also, btw.  Compare that to the use of dpkg-divert in
> /var/lib/dpkg/info/perl-doc.preinst, for example, which triggers on both
> "install" and on "upgrade".

thanks. will upload a new version of chameleon once we confirmed
with this package that the fix works.

> I worked around this on my system by removing libsequoia-octopus-librnp,
> upgrading thunderbird, and then reinstalling libsequoia-octopus-librnp,
> but it seems like the goal should be to not have to make the user do
> that.
 
yes, absolutly.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"I became an antifascist out of a sense of common decency.” – Marlene Dietrich


signature.asc
Description: PGP signature

Bug#1069139: developers-reference: out-of-date section "Make transition packages deborphan compliant"

2024-04-21 Thread Holger Levsen

On Sat, Apr 20, 2024 at 08:30:52PM +0200, Guillem Jover wrote:
> While I fully support properly marking obsolete packages by putting
> them in the (unfortunately misnamed :) oldlibs section (well excluding
> library-like depended on packages that get dropped as a mater of course).
> I wanted to note that I've received some pushback from the archive
> maintainers about this being considered unnecessary churn (paraphrasing
> from what ISTR). So it would be nice to clarify this with them before
> creating and proposing a procedure that might end up generating social
> friction.

I tend to agree. Already now maintainers forget to drop transitional
packages after having them been part of *two* releases (I have filed >400 bugs
requesting removal of such old transitional packages in the last 10y, so 
roughly 80 per release), so I don't think requiring them to do *more*
will work out nicely.

(also this adds workload to ftpmasters too.)

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"In just 6 decades, roughly the life span of a blue whale, humans took blue 
whale
population down from 360,000 to just 1,000. In one century, whalers killed two
million baleen whales, which together weighed twice as much as all wild mammals
on Earth today."
https://www.theatlantic.com/science/archive/2021/11/whaling-whales-food-krill-iron/620604/

signature.asc
Description: PGP signature

Bug#1069322: diffoscope crashes when trying to compare unreproducible src:dasel build artifacts

2024-04-19 Thread Holger Levsen

Package: diffoscope
Version: 264
Severity: normal
X-Debbugs-Cc: team+pkg...@tracker.debian.org

Dear Maintainer,

diffoscope crashes when comparing the build results of src:dasel. To make it
more fun, src:dasel is only unreproducible on i386 (out of our four tested
archs, amd64/i386/arm64/armhf) and only *sometimes*.

vagrant added the following note to reproducible-notes.git, visible at
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/i386/dasel.html

---begin-note---
timezone-dependent date in manpages triggered when building with
reprotest but not reproducible builds test infrastructure.
dasel itself is used to generate the manpage.
https://sources.debian.org/src/dasel/2.7.0-1/internal/command/man.go/
.
Something non-deterministic, possibly GO BUILDID only on i386.
---end-note---

several build artifacts at available at 
https://tests.reproducible-builds.org/debian/artifacts/r00t-me/
and only the i386 ones are sometimes unreproducible and then
crashing diffoscope. (Please download them for investigations,
they will vanish after 48h but I can easily and quickly recreate
them anytime.)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

I used to be scared for our grandchildren's future. Such optimism!


signature.asc
Description: PGP signature

Bug#1069139: developers-reference: out-of-date section "Make transition packages deborphan compliant"

2024-04-17 Thread Holger Levsen

Hi Vincent,

On Wed, Apr 17, 2024 at 04:24:16AM +0200, Vincent Lefevre wrote:
> Now that the deborphan package has been removed from unstable,
> the section "Make transition packages deborphan compliant" in
> "Best Packaging Practices" is out of date and should be updated.
> 
> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065312
> where "apt-mark auto ..." (for autoremove) is suggested as a
> replacement. But with it, putting transition packages to oldlibs
> is even more necessary.

thanks for filing this bug report. Patches are very welcome, it's all
mark down now.

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

So what CAN we actually do? Well, individual decisions (eating less meat,
taking public transport, buying less fast fashion) are all important, but we
also need to change the system. As you may know, just 100 companies are
responsible for 71% of global emissions. (@JessicaTheLaw)
https://www.theguardian.com/sustainable-business/2017/jul/10/100-fossil-fuel-companies-investors-responsible-71-global-emissions-cdp-study-climate-change

signature.asc
Description: PGP signature

Bug#1068890: diffoscope: --hard-timeout option

2024-04-16 Thread Holger Levsen

On Tue, Apr 16, 2024 at 04:51:09PM +0100, Chris Lamb wrote:
> Just to say that I am totally on board with the idea of ensuring we
> get _something_ out of diffoscope on tests.reproducible-builds.org.

:) great!

> Way better than 250 timeouts.

https://tests.reproducible-builds.org/debian/stats_breakages.png
showed that in the last 3-4 years there was constant progress on that! \o/

> However, I think this first iteration of --hard-timeout time has a few
> things that would need ironing out first, and potentially make it not
> worth implementing:
> 
> (1) You suggest it should start again with "--max-container-depth 3",
> but it would surely need some syntax (or another option?) to control
> that "3" (but for the second time only).

another option, --second-pass-max-container-depth or some such

> (2) In fact, its easy to imagine that one would want to restart with
> other restrictions as well: not just --max-container-depth. For
> instance, excluding external commands like readelf and objdump that
> you know to be slow.

yes, that's a good idea and IMO should be automatically implied for the
2nd pass or round or try.

> (3) The output might need some comment saying "this was re-run with
> restrictions as we hit a timeout".

absolutly.

> (4) My gut feel that it would not be all that great to rely on CPython
> to really properly clear up child processes after a certain amount of
> time. Although I believe the most reliable top-level description to do
> this kind of thing inside CPython is to start a watchdog thread that
> sleeps until the timeout and then tries to kill everything, but my
> experience of doing anything like this within Python itself is not
> great, and essentially always needed something at the process level
> outside of it for it to be reliable. A container would be even more
> effective, I'm sure.

hmmm.

> In other words, I think the best way of achieving the result we want
> is, alas, by doing it outside of diffoscope at the level of the
> Jenkins. As in, exactly what you describe here:
> 
> > Else we could also extend the current code for tests.r-b.o/debian, 
> > which currently
> > just kills diffoscope after 2h, to then run diffoscope 
> > --max-container-depth 3 :)
> 
> Is that a massive faff?  :/

not really, I guess it would be rather simple even, I just thought
(or think?) that it would be a nice feature for diffoscope proper.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The purpose of propaganda isn't to make you believe something. It's to make you
believe nothing. So that you do nothing. (@DarthPutinKGB)


signature.asc
Description: PGP signature

Bug#1069100: libscout.jar has duplicate ZIP entries in the central directory

2024-04-16 Thread Holger Levsen

Package: libscout
Version: 2.3.2-3
Severity: normal
X-Debbugs-Cc: reproducible-bui...@alioth-lists.debian.net, Fay Stegerman 


Dear Maintainer,

a few days ago I filed "#1068705: diffoscope crashes on libscout 2.3.2-3 build
on unstable but not bullseye" which then led Fay Stegerman to discover than
src:libscout builds a libscout.jar that has duplicate ZIP entries in the central
directory, pointing to the same actual entry in the ZIP. Please don't do this.

#1068705 has been fixed in the meantime and diffoscope 264 can now correctly
display the differences, as can be seen in
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/i386/diffoscope-results/libscout.html
this is still an incorrect and broken zip file.

Thanks for maintaining libscout!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

I miss the old days were billionaires’ vanity projects were to build 1000 public
libraries or giant music venues.


signature.asc
Description: PGP signature

Bug#1068705: diffoscope crashes on libscout 2.3.2-3 build on unstable but not bullseye

2024-04-16 Thread Holger Levsen

On Mon, Apr 15, 2024 at 03:00:42PM +0200, Fay Stegerman wrote:
> > (thanks again!), am I correct to assume that thus there's no need
> > to file a seperate bug against libscout?
> It's generating a broken ZIP file with duplicate entries.  It really shouldn't
> be doing that, regardless of whether we can extract the files nonetheless.
> That's still a bug that should be reported and fixed.

ok, will do, mostly using this bug as reference, thanks!

> > (which is nice, though maybe could only been shown once?)
> Ah.  It correctly shows that twice as there could be differences between the 
> two
> files being compared wrt whether they have duplicate entries (and if so how
> many).
> 
> And if you run 'diffoscope foo.zip bar.zip' it'll show those two different 
> file
> names.  But in this case we have nested archives and the path (and in this 
> case
> also the number of duplicate entries) is identical for both, so maybe we can
> tweak the output to show which top-level file it belongs to?

yes.

:)
 
> > though this later is done using diffoscope from unstable while the
> > rest of the userland is bullseye, so this might be expected as well?
> Ah.  Looks like zipdetails(1) on bullseye doesn't support the --redact, 
> --scan,
> and --utc options yet.

right, thanks for confirming in detail!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Dance like no one's watching. Encrypt like everyone is.


signature.asc
Description: PGP signature

Bug#1068705: diffoscope crashes on libscout 2.3.2-3 build on unstable but not bullseye

2024-04-15 Thread Holger Levsen

Hi again,

I've got two remaining questions about libscout (and diffoscope)

On Thu, Apr 11, 2024 at 01:48:18AM +0200, Fay Stegerman wrote:
> unzip does seem to extract all the files, though it errors out.  Not sure what
> diffoscope should do here.  This is definitely a broken ZIP file.  That bug
> should probably be reported against libscout or whatever tooling it used to
> create that JAR.

you filed https://github.com/python/cpython/issues/117779
(thanks again!), am I correct to assume that thus there's no need
to file a seperate bug against libscout?

and 2nd, 
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/arm64/diffoscope-results/libscout.html
now as expected displays:

'./usr/share/java/libscout.jar' has 35 duplicate entries
'./usr/share/java/libscout.jar' has 35 duplicate entries

(which is nice, though maybe could only been shown once?)

but 
https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/arm64/diffoscope-results/libscout.html
shows this:

Command `'zipdetails --redact --scan --utc {}'` failed with exit code 255. 
Standard output:
zipdetails [OPTIONS] file

Display details about the internal structure of a Zip file.

This is zipdetails version 1.11

OPTIONS
 -h display help
 -v Verbose - output more stuff
[...]
Archive contents identical but files differ, possibly due to different 
compression levels. Falling back to binary comparison.
'./usr/share/java/libscout.jar' has 35 duplicate entries
'./usr/share/java/libscout.jar' has 35 duplicate entries


though this later is done using diffoscope from unstable while the
rest of the userland is bullseye, so this might be expected as well?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

:wq


signature.asc
Description: PGP signature

Bug#877337: single-page html of debian-policy to be revived?

2024-04-15 Thread Holger Levsen

On Sun, Apr 14, 2024 at 08:43:51PM +0800, Sean Whitton wrote:
> ... but if dev-ref is already shipping both, maybe singlepage is indeed
> usable these days ...

I think it is.

> > Could the Policy Editors team check, if everything is fine now, and if
> > this should be published again?
> > At least there is still an issue with the footnotes, there are 16 
> > occurrences
> > of #id1 for example... (search for "[1]" in policy-1.html).
> Hrm.  That seems like a pretty serious problem :\

I wouldnt call it serious. annoying yes, maybe.

> Holger L., did you know about this issue?
> Did you decide it was worth publishing anyway?

yes.

https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#how-could-installing-a-package-into-testing-possibly-break-other-packages
or (single page) 
https://www.debian.org/doc/manuals/developers-reference/developers-reference.en.html#how-could-installing-a-package-into-testing-possibly-break-other-packages
both show four footnotes, right where they belong, it's just that
each foot note is numbered and that [1] or [2] or whatever is
a link, pointing to a wrong place.

I agree it's a bug, but I do think it's a pretty harmless one.

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"Any fool can know. The point is to understand." - A. Einstein 

signature.asc
Description: PGP signature

Bug#1068890: diffoscope: --hard-timeout option

2024-04-12 Thread Holger Levsen

Package: diffoscope
Version: 264
Severity: wishlist

Dear Maintainer,

currenlty diffoscope has a --timeout option

   --timeout SECONDS
  Best-effort attempt at a global timeout in seconds. If enabled, 
diffoscope will not recurse into any further sub-archives
  after X seconds of total execution time.  (default: no timeout) 
[experimental]

however this doesnt give any guarantees how long diffoscope will be running, so
so far we haven't used it for the RB CI tests, mostly because I'm not sure
what would be a good inner timeout (=for diffoscope) and what would be a good
good outer timeout (=for killing diffoscope from the outside no matter what).

Currently we use 2h as outer timeout, but have no inner timeout. Maybe we should
use --timeout 1h?

Anyhow, about my --hard-timeout option idea:

my idea of "--hard-timeout $time" is that diffoscope terminates itself after
$time, no matter what *and* then re-starts itself with "--max-container-depth 3"
(or whatever is useful to get a glimpse on what files in a Debian package
are different) (probably also with another hard timeout set...) as to guarantee
to always produce meaningful output (especially html output if specified with 
--html).

What do you think?

Else we could also extend the current code for tests.r-b.o/debian, which 
currently
just kills diffoscope after 2h, to then run diffoscope --max-container-depth 3 
:)

https://tests.reproducible-builds.org/debian/index_breakages.html lists
251 pkg/suite/arch combinations where diffoscope runs into a timeout...


& many thanks for rocking diffoscope airlines..! \o/

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Bottled water companies don't produce water, they produce plastic bottles.


signature.asc
Description: PGP signature

Bug#1068853: reprotest: SyntaxWarning: invalid escape sequence '\;'

2024-04-12 Thread Holger Levsen

On Fri, Apr 12, 2024 at 10:29:07AM -0700, Vagrant Cascadian wrote:
> How exactly did you get this error?

upgrading my sid schroot. just confirmed the bug by removing it there
and installing it again. then I mounted /proc but the bug is still
there. /dev is also populated, though /usr/bin/mount fails with 
"mount: failed to read mtab: No such file or directory".

> I installed locally, but did not encounter any such issues on package
> installation just now, and also nothing when manually running a simple
> test:
> 
>   reprotest 'date > date' date

that also fails verbosely here:

$ schroot -- reprotest 'date > date' date
WARNING:reprotest:The control build runs on 1 CPU by default, give --min-cpus 
to increase this.
WARNING:reprotest.build:IGNORING user_group variation; supply more usergroups 
with --variations=user_group.available+=USER1:GROUP1;USER2:GROUP2 or 
alternatively, suppress this warning with --variations=-user_group
WARNING:reprotest.build:Not using sudo for domain_host; your build may fail. 
See man page for other options.
WARNING:reprotest.build:Be sure to `echo 1 > 
/proc/sys/kernel/unprivileged_userns_clone` if on a Debian system.
fusermount: failed to open /etc/mtab: No such file or directory
fusermount: mount failed: Operation not permitted
fusermount: failed to unmount /tmp/reprotest.AQkTKX/build-experiment-1: 
Operation not permitted
cleanup failed with exit code 1
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/reprotest/__init__.py", line 862, in run
return 0 if check_func(*check_args) else 1
^^^
  File "/usr/lib/python3/dist-packages/reprotest/__init__.py", line 379, in 
check
local_dists += [proc.send(nv) for nv in zip(bnames[1:], 
build_variations[1:])]

^^^
  File "/usr/lib/python3/dist-packages/reprotest/__init__.py", line 379, in 

local_dists += [proc.send(nv) for nv in zip(bnames[1:], 
build_variations[1:])]
^
  File "/usr/lib/python3/dist-packages/reprotest/__init__.py", line 339, in 
corun_builds
bctx.run_build(testbed, build, os.environ, artifact_pattern, 
testbed_build_pre, no_clean_on_error)
  File "/usr/lib/python3/dist-packages/reprotest/__init__.py", line 218, in 
run_build
testbed.check_exec2(build_argv,
  File "/usr/lib/python3/dist-packages/reprotest/__init__.py", line 63, in 
check_exec2
self.bomb('"%s" failed with status %i' % (' '.join(argv), code),
  File "/usr/lib/python3/dist-packages/reprotest/__init__.py", line 70, in bomb
raise _type(m)
reprotest.lib.adtlog.AutopkgtestError: "sh -ec run_build() {
mkdir -p /tmp/reprotest.AQkTKX/build-experiment-1-aux && \
SETARCH_ARCH=$(for a in $(setarch --list); do setarch $a true && echo $a || 
true; done) && \
DROP_ARCH="-v -e ^$(uname -m)\$" && \
WORDSIZE=64 && \
if [ $WORDSIZE -eq 64 ]; then for _ARCH_TO_DROP in armh armv7b armv7l   
  armv8b armv8l arm athlon i386 i486 i586 i686 linux32 mips32 mips 
parisc32 parisc ppc32le ppc32 ppcle ppc s390 sparc32bash 
sparc32 sparc; do DROP_ARCH="$DROP_ARCH -e ^$_ARCH_TO_DROP\$"; 
done; fi && \
SETARCH_ARCH=$(echo "$SETARCH_ARCH" | grep $DROP_ARCH | shuf -n1) && \
KERNEL_VERSION=$(uname -r) && \
if [ ${KERNEL_VERSION#2.6} = $KERNEL_VERSION ]; then 
SETARCH_OPTS=--uname-2.6; fi && \
CPU_MAX=$(nproc) && \
CPU_MIN=$({ echo $CPU_MAX; echo 1; } | sort -n | head -n1) && \
CPU_NUM=$(if [ $CPU_MIN = $CPU_MAX ]; then echo $CPU_MIN; echo 
>&2 "only 1 CPU is available; num_cpus is ineffective"; else shuf 
-i$((CPU_MIN + 1))-$CPU_MAX -n1; fi) && \
export CPU_LIST="$(echo $(shuf -i0-$((CPU_MAX - 1)) -n$CPU_NUM) | tr ' ' 
,)" && \
mv /tmp/reprotest.AQkTKX/build-experiment-1/ 
/tmp/reprotest.AQkTKX/build-experiment-1-before-disorderfs/ && \
mkdir -p /tmp/reprotest.AQkTKX/build-experiment-1/ && \
disorderfs -q --shuffle-dirents=yes 
/tmp/reprotest.AQkTKX/build-experiment-1-before-disorderfs/ 
/tmp/reprotest.AQkTKX/build-experiment-1/ && \
umask 0002 && \
export REPROTEST_BUILD_PATH=/tmp/reprotest.AQkTKX/build-experiment-1/ && \
export REPROTEST_UMASK=$(umask) && \
unshare -r --uts sh -ec '
hostname reprotest-capture-hostname
domainname "reprotest-capture-domainname"
"$@"' - \
faketime +398days+2hours+27minutes \
taskset -a -c $CPU_LIST \
setarch $SETARCH_ARCH $SETARCH_OPTS \
sh -ec 'cd "$REPROTEST_BUILD_PATH"; unset REPROTEST_BUILD_PATH; umask 
"$REPROTEST_UMASK"; unset REPROTEST_UMASK; date > date'
}

cleanup() {
__c=0; \
export PATH="/tmp/reprotest.AQkTKX/bin:$PATH" || __c=$?; \
fusermount -u /tmp/reprotest.AQkTKX/build-experiment-1/ || __c=$?; \
rmdir /tmp/reprotest.AQkTKX/build-experiment-1/ || __c=$?; \
mv /tmp/reprotest.AQkTKX/build-experiment-1-before-disorderfs/

Bug#1068853: reprotest: SyntaxWarning: invalid escape sequence '\;'

2024-04-12 Thread Holger Levsen

Package: reprotest
Version: 0.7.27
Severity: important

Dear Maintainer,

when installing reprotest 0.7.27:

SyntaxWarning: invalid escape sequence '\;'
Setting up reprotest (0.7.27) ...
/usr/lib/python3/dist-packages/reprotest/__init__.py:360: SyntaxWarning: 
invalid escape sequence '\;'
  run_or_tee(['sh', '-ec', 'find %s -type f -exec sha256sum "{}" \;' % 
self.artifact_pattern],
/usr/lib/python3/dist-packages/reprotest/build.py:315: SyntaxWarning: invalid 
escape sequence '\$'
  _ = _.append_setup_exec_raw('DROP_ARCH="-v -e ^$(uname -m)\$"')
/usr/lib/python3/dist-packages/reprotest/build.py:317: SyntaxWarning: invalid 
escape sequence '\$'
  _ = _.append_setup_exec_raw('if [ $WORDSIZE -eq 64 ]; then \
/usr/lib/python3/dist-packages/reprotest/environ.py:10: SyntaxWarning: invalid 
escape sequence '\w'
  "path": "(/\w{1,12}){1,4}",
/usr/lib/python3/dist-packages/reprotest/environ.py:11: SyntaxWarning: invalid 
escape sequence '\d'
  "port": "([1-9]\d{0,3}|[1-5]\d{4})",
/usr/lib/python3/dist-packages/reprotest/environ.py:12: SyntaxWarning: invalid 
escape sequence '\w'
  "domain": "\w{1,10}(\.\w{1,10}){0,3}",
/usr/lib/python3/dist-packages/reprotest/environ.py:13: SyntaxWarning: invalid 
escape sequence '\w'
  "password": "\w{1,40}",
/usr/lib/python3/dist-packages/reprotest/environ.py:14: SyntaxWarning: invalid 
escape sequence '\w'
  "username": "\w{2,20}",
/usr/lib/python3/dist-packages/reprotest/environ.py:113: SyntaxWarning: invalid 
escape sequence '\w'
  "REPROTEST_CAPTURE_ENVIRONMENT_UNKNOWN_\w+"]
/usr/lib/python3/dist-packages/reprotest/lib/adt_testbed.py:305: SyntaxWarning: 
invalid escape sequence '\['
  script = '''sed -rn 's/^(deb|deb-src) +(\[.*\] *)?([^ 
]*(ubuntu.com|debian.org|ftpmaster|file:\/\/\/tmp\/testarchive)[^ ]*) +([^ -]+) 
+(.*)$/\\1 \\2\\3 \\5-%s \\6/p' /etc/apt/sources.list `ls 
/etc/apt/sources.list.d/*.list 2>/dev/null|| true` > 
/etc/apt/sources.list.d/%s.list; for retry in 1 2 3; do apt-get 
--no-list-cleanup -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/%s.list -o 
Dir::Etc::sourceparts=/dev/null update 2>&1 && break || sleep 15; done''' % 
(pocket, pocket, pocket)
/usr/lib/python3/dist-packages/reprotest/lib/adt_testbed.py:320: SyntaxWarning: 
invalid escape sequence '\/'
  'for d in %s; do [ ! -d $d ] || touch -r $d %s/${d//\//_}.stamp; done' % (
/usr/lib/python3/dist-packages/reprotest/lib/adt_testbed.py:342: SyntaxWarning: 
invalid escape sequence '\/'
  'for d in %s; do s=%s/${d//\//_}.stamp;'
/usr/lib/python3/dist-packages/reprotest/lib/adt_testbed.py:724: SyntaxWarning: 
invalid escape sequence '\('
  script = '''d=%(t)s/deps
/usr/lib/python3/dist-packages/reprotest/lib/adt_testbed.py:1211: 
SyntaxWarning: invalid escape sequence '\/'
  script += '''REL=$(sed -rn '/^(deb|deb-src) 
.*(ubuntu.com|debian.org|ftpmaster|file:\/\/\/tmp\/testarchive)/ { s/^[^ ]+ 
+(\[.*\] *)?[^ ]* +([^ -]+) +.*$/\\2/p}' $SRCS | head -n1); '''


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The devel is in the details.


signature.asc
Description: PGP signature

Bug#1066340: marked as done (t4kcommon: FTBFS: linebreak.c:163:19: error: implicit declaration of function ‘u8_mbtouc_unsafe’ [-Werror=implicit-function-declaration])

2024-04-11 Thread Holger Levsen

Dear Chris,

On Thu, Apr 11, 2024 at 05:51:05PM +, Debian Bug Tracking System wrote:
> Date: Thu, 11 Apr 2024 17:50:02 +
> From: Debian FTP Masters 
> To: 1066340-cl...@bugs.debian.org
> Subject: Bug#1066340: fixed in t4kcommon 0.1.1-11.2
> Reply-To: Chris Hofstaedtler 

thanks for that NMU, much appreciated! <3


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Because things are the way they are, things will not stay the way they are.
(Bertolt Brecht)


signature.asc
Description: PGP signature

Bug#1002458: "version in VCS newer than in repository" might be a bit overzealous

2024-04-11 Thread Holger Levsen

On Thu, Apr 11, 2024 at 03:02:05PM +0200, Christoph Berg wrote:
> > additionally you could also only classify d/changelog changing commits
> > with "Gbp-Dch: ignore" in them as such, but I'd guess Marc's suggestion
> > really is good enough.
> I don't understand, if debian/changelog-only commits are already
> ignored, what should vcswatch do additionally?

nothing. I ment it the other way around: if you were *not* willling to
ignore debian/changelog-only commits maybe you'd be willing to ignore
debian/changelog-only commits which also have "Gbp-Dch: ignore"/

but it seems you'd be fine to just ignore debian/changelog-only commits,
so this is mood.

> > Please reconsider, IOW, Myon: my I reassign this back to qa.debian.org
> > for vcswatch?
> Done.

thank you!

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If secure encryption is outlawed, only criminals will have it.

signature.asc
Description: PGP signature

Bug#1068705: diffoscope crashes on libscout 2.3.2-3 build on unstable but not bullseye

2024-04-11 Thread Holger Levsen

On Thu, Apr 11, 2024 at 11:28:19AM +0100, Chris Lamb wrote:
[...]
> Applied in Git with attribution taken from your email.
[...]
> Fixed as well. And it adds a nice comment displaying the issue.

awesome, thank you both!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Make facts great again.


signature.asc
Description: PGP signature

Bug#872944: #872944 www.debian.org: Remove JavaScript from Policy Manual published on web mirrors

2024-04-11 Thread Holger Levsen

On Thu, Apr 11, 2024 at 09:18:06AM +0200, Thomas Lange wrote:
> A single page html may be an additional option but there's already the
> single page txt version and the PDF. That's sufficient and I see no
> need in providing more formats of this manual.
> 
> Therefore we can close this and I will close 877337.

fwiw, I disagree with this conclusion. single page txt and pdf versions
are no replacements for single page html.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Another end of the world is possible.


signature.asc
Description: PGP signature

Bug#1068705: diffoscope crashes on libscout 2.3.2-3 build on unstable but not bullseye

2024-04-10 Thread Holger Levsen

On Thu, Apr 11, 2024 at 01:48:18AM +0200, Fay Stegerman wrote:
> Salsa is probably better for figuring out what to do next, but I get these 
> mails
> too :)

:)
 
> The libscout.jar has duplicate ZIP entries in the central directory, pointing 
> to
> the same actual entry in the ZIP.  So the "overlapped entries" error is 
> entirely
> correct, even if it's not a zip bomb.

ah!

> unzip does seem to extract all the files, though it errors out.  Not sure what
> diffoscope should do here.  This is definitely a broken ZIP file.  That bug
> should probably be reported against libscout or whatever tooling it used to
> create that JAR.

I agree it's more complicated, but fundamentally, diffoscope should *not* crash
here! (but rather report the broken zip file.)

thanks!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

I’ve said it once, and I’ll say it a thousand times: If the penalty for
breaking a law is a fine, then that law only exists for the poor.


signature.asc
Description: PGP signature

Bug#1002458: "version in VCS newer than in repository" might be a bit overzealous

2024-04-10 Thread Holger Levsen

On Fri, Dec 24, 2021 at 01:36:35PM +0100, Marc Haber wrote:
> On Fri, Dec 24, 2021 at 01:15:08PM +0100, Christoph Berg wrote:
> > Re: Marc Haber
> > > To fill my idea, vcswatch would need to classify commits into "real"
> > > commits and "housekeeping" commits, so that the tracker can handle them
> > > differently.
> > The idea makes sense, but I doubt that is possible without entering a
> > very deep rathole :(
> For starters, an early release could classify changelog-only commits as
> "housekeeping".

*that*!

additionally you could also only classify d/changelog changing commits
with "Gbp-Dch: ignore" in them as such, but I'd guess Marc's suggestion
really is good enough.

Please reconsider, IOW, Myon: my I reassign this back to qa.debian.org
for vcswatch?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Only change is constant.


signature.asc
Description: PGP signature

Bug#1068705: diffoscope crashes on libscout 2.3.2-3 build on unstable but not bullseye

2024-04-10 Thread Holger Levsen

On Wed, Apr 10, 2024 at 06:12:21PM +0100, Chris Lamb wrote:
> Holger Levsen wrote:
> 
> > when building libscout 2.3.2-3 on current unstable, the result is also 
> > unreproducible, but diffoscope crashes when analysing the diff.
> I think this is somewhat related to:
>   https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/362
> … which was said to be fixed by Fay in 
> cc3b077f6ef97b4e20036e9823926fe633c7d4d0
> that released as diffoscope version 263 on 2024-04-05.
> However, I can see that the current output of libscout/amd64 on
> tests.reproducible-builds.org is failing with this very version:

yes, indeed.

also, this happened before too, I'm sure about at least with diffoscope 260 
already.
 
> Will loop Fay in via Salsa presently.

thank you!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Fischers Fritz fischt Plastik.


signature.asc
Description: PGP signature

Bug#1068761: packaging-tutorial: mention hello and hello-traditional examples

2024-04-10 Thread Holger Levsen

Package: packaging-tutorial
Version: 0.30
Severity: normal

Dear Lucas,

it would be great if the hello pkg would be mentioned, because its a clean 
example
and because there's hello-traditional too.

hello is a good example for using dh in d/rules:

#!/usr/bin/make -f
%:
dh $@

override_dh_auto_clean:
[ ! -f Makefile ] || $(MAKE) distclean

override_dh_installdocs:
dh_installdocs NEWS


Many thanks for packaging-tutorial!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

“I'll tell you what freedom is to me No fear.” (Nina Simone)


signature.asc
Description: PGP signature

Bug#1068760: packaging-tutorial: discourage cdbs and even pure debhelper more

2024-04-10 Thread Holger Levsen

Package: packaging-tutorial
Version: 0.30
Severity: normal

Dear Lucas,

packaging-tutorial is great, but please discourage the use of cdbs and even 
pure 
debhelper more and emphasize to use dh which is great and simple.

& many thanks for packaging-tutorial!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Facts do not cease to exist because they are ignored. (Aldous Huxley)


signature.asc
Description: PGP signature

Bug#1068705: diffoscope crashes on libscout 2.3.2-3 build on unstable but not bullseye

2024-04-09 Thread Holger Levsen

package: diffoscope
version: 263

hi,

diffoscope 263 crashes on libscout 2.3.2-3 build on unstable but not bullseye:
libscout 2.3.2-3 is part of bullseye (but neither bookworm nor trixie) and
builds unreproducible there and diffoscope is able to show a diff.

when building libscout 2.3.2-3 on current unstable, the result is also 
unreproducible, but diffoscope crashes when analysing the diff.

this happens on all 4 tested archs.

I've copied the packages in question to
https://tests.reproducible-builds.org/debian/diffoscope-libscout/artifacts/r00t-me/
for further investigation. (because one .deb is 20mb and there's 16 of them.)


(someone please remind me to delete them there once this bug has been closed.)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The hardest part about defending against social engineering is that it
doesn't attack attack the weakness of a community.  It attacks its
*strengths*: trust, collaboration, and mutual assistance. (Russ Allbery)


signature.asc
Description: PGP signature

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

2024-04-06 Thread Holger Levsen

On Fri, Apr 05, 2024 at 09:49:58PM +0200, Aurelien Jarno wrote:
> If we go that route, here is a proposed alternative patch:
> 
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -338,7 +338,8 @@
>  For example, the build target should pass ``--disable-silent-rules``
>  to any configure scripts.  See also :ref:`s-binaries`.
>  
> -For packages in the main archive, required targets must not attempt
> +Except for packages in the non-free archive with the ``Autobuild``
> +control field unset or set to ``no``, required targets must not attempt
>  network access, except, via the loopback interface, to services on the
>  build host that have been started by the build.

seconded as well.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

There never has been more knowledge in the world with less conclusions.
(Die Goldenen Zitronen, 1996 or so)


signature.asc
Description: PGP signature

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

2024-04-05 Thread Holger Levsen

On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:
> Thanks Philipp. Following that result, please find a patch proposal: 
> 
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -338,9 +338,9 @@
>  For example, the build target should pass ``--disable-silent-rules``
>  to any configure scripts.  See also :ref:`s-binaries`.
>  
> -For packages in the main archive, required targets must not attempt
> -network access, except, via the loopback interface, to services on the
> -build host that have been started by the build.
> +Required targets must not attempt network access, except, via the
> +loopback interface, to services on the build host that have been started
> +by the build.
>  
>  Required targets must not attempt to write outside of the unpacked
>  source package tree.  There are two exceptions.  Firstly, the binary

thanks, this looks good to me as well. seconded.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Bananas are berries.


signature.asc
Description: PGP signature

Bug#1041832: #1041832: libsequoia-octopus-librnp: undeclared file conflict with thunderbird

2024-03-22 Thread Holger Levsen

hi,

< h01ger> helmut: re:  #1041832: i just could not reproduce this bug, see
https://paste.debian.net/1311659/ - though we "didnt change
anything" in sequoia-octopus, so what am i missing? :)

that paste had basically this content:

± dpkg -L libsequoia-octopus-librnp |grep librnp.so
/usr/lib/sequoia/libsequoia_octopus_librnp.so
/usr/lib/thunderbird/librnp.so
± dpkg -L thunderbird|grep librnp.so
1 ±

<   jochensp> | h01ger: 
https://packages.debian.org/search?searchon=contents=librnp.so=path=unstable=any
 says on ppc64
<   jochensp> | h01ger: also 
https://packages.debian.org/search?suite=bookworm=any=path=contents=librnp.so
< h01ger> jochensp: what? (re: ppc64 only)
<   jochensp> | h01ger: also thunderbird (1:115.0.1-1) has:
 [f78b777] d/mozconfig.default: Use internal shipped
 librnp version and 1:115.1.1-1 reverts that
< jochensp> (and ppc64 is out of date in unstable)
< h01ger> jochensp: ah! [f78b777] - thank you!
< h01ger> jochensp: can i quote you in that bug?
<   jochensp> | h01ger: sure
< h01ger> :) thanks!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Just because other people are also responsible, does not mean you are not
responsible.


signature.asc
Description: PGP signature

Bug#1062904: ping to prevent autoremoval

2024-03-21 Thread Holger Levsen

pong

Bug#1067232: limit diffoscope recursions on packages where diffoscope runs into a timeout

2024-03-20 Thread Holger Levsen

On Wed, Mar 20, 2024 at 04:31:22PM +, James Addison wrote:
> > or maybe even simpler: first run diffoscope normally, then if that runs 
> > into a timeout,
> > run with --max-container-depth=3 (or 5). 

It also occured to me that we then could diffoscope with a (way) lower timeout,
eg 60min instead of 155min, because hardly never diffoscope runs longer than
30min, and if it does, it usually runs 155min until it gets killed.

I'm not sure we're collecting data on this, so far this is just an educated 
guess. :)

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Stop saying that we are all in the same boat.
We’re all in the same storm. But we’re not all in the same boat.

signature.asc
Description: PGP signature

Bug#1067232: limit diffoscope recursions on packages where diffoscope runs into a timeout

2024-03-20 Thread Holger Levsen

On Wed, Mar 20, 2024 at 04:31:22PM +, James Addison wrote:
> Package: jenkins.debian.org
> X-Debbugs-Cc: hol...@layer-acht.org

no need for that cc:, i'm subscribed to the package.

> That seems like a straightforward way to get started, and without adding much
> complexity.

indeed.

> In reproducible_build.sh it looks like there are some IRC notifications: it
> could make sense to suppress the retried-diffoscope-results, or emit a
> noticably different message for those to distinguish them from the initial
> attempt?

yes. (and I apologize to your eyes for having seen that IRC notification
"logic"... I've looked at it yesterday for too long and only came up with
a small improvement while that whole thing could use an overhaul.)

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

All data, over time, approaches deleted, or public. (@quinnnorton)

signature.asc
Description: PGP signature

Bug#1067232: limit diffoscope recursions on packages where diffoscope runs into a timeout

2024-03-20 Thread Holger Levsen

package: jenkins.debian.org
severity: wishlist

hi,

in https://salsa.debian.org/qa/jenkins.debian.net/-/merge_requests/163
James Addison suggested to use --max-container-depth=3 (or 5) for
when diffscope runs into a timeout on a package. (or rather not then,
but always, which why this MR wasnt accepted.)

However this lead to the following discussion on irc:

 jayaddison: thanks for closing MR163!
 no probs!  thought it might confuse/distract someone later 
otherwise :)
 jayaddison: thinking about it, we could probably run diffoscope with 
the reduced depth option on those packages we know diffoscope timeouts, eg all 
packages listed more than 4 times on 
https://tests.reproducible-builds.org/debian/index_breakages.html
 the breakage job could generated that list, and then 
reproducible_build.sh could consume it and act accordingly
 interesting idea.  that was going to be my next question (how to 
maintain the list of relevant packages)
 I'm slightly averse to adaptive testing because it becomes a 
maintenance/debug challenge over time, but am thinking about it
 what's the effect of a diffoscope timeout at the moment?  no 
output at all?
< h01ger> thinking about it, this could cause an interesting jojo effect: 
git-annex is tested, diffoscope runs into a timeout. this happens more than 4 
times -> git-annex is put on the list of packages which diffoscope is run on 
with reduced depth. thus, (hopefullly! now) diffoscope doesnt run into a 
timeout 
  anymore. this happens so often that git-annex appears less than 4 
times on the breakages page -> 
 git-annex is tested without a timeout again, rinse repeat, until 
diffoscope or git-annex is improved
 yes, its basically empty, see eg 
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/git-annex.html
 basically true for any link on 
https://tests.reproducible-builds.org/debian/index_breakages.html
 ok.  I guess 'in theory' it'd be nice for diffoscope to diff to 
depth 1, then write output, then proceed to depth 2, rewrite output, etc.
 nah, depth 3/4/5 should be fine, i hope
 first few levels are generally .deb, data/xz or something, and... 
I forget.  but fast/inexpensive compute-wise
 yeah
 if we could write output after each layer, there should always be 
'something' to show on the results page even if it later fails at depth 8 or 
whatever
 s/fails/times-out
 i'd just go with layer X for a start, i doubt its useful to make this 
more sophisticated, esp from the start. also its sophisticated enough to only 
invoke this for a few timeouting packages

or maybe even simpler: first run diffoscope normally, then if that runs into a 
timeout,
run with --max-container-depth=3 (or 5). I think this would be acceptable with
only 286 suite/arch/package combinations currently which run into a timeout.

I'd still like to store/record somewhere (for later reading, eg to then 
semiautomatically
add this information to notes.git) that diffoscope ran into a timeout on this 
package,
but for the moment I don't have a plan how to that exactly.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Deutschland ist so rechts, es wird sogar diskutiert ob die Nazis links waren.
(@elhotzo, 20220206)


signature.asc
Description: PGP signature

Bug#1066991: easy way to crash diffoscope

2024-03-16 Thread Holger Levsen

package: diffoscope
version: 240

hi,

crashing diffoscope in under 2min (the package build takes 42sec here).

$ apt source golang-github-stvp-tempredis 
$ sudo pbuilder build golang-github-stvp-tempredis_0.0~git20231107.8a695b6-1.dsc
$ mkdir p1 ; mv /var/cache/pbuilder/unstable/result/* p1/
$ sudo pbuilder build golang-github-stvp-tempredis_0.0~git20231107.8a695b6-1.dsc
$ mkdir p2 ; mv /var/cache/pbuilder/unstable/result/* p2/
$ diffoscope 
p1/golang-github-stvp-tempredis_0.0~git20231107.8a695b6-1_amd64.changes 
p2/golang-github-stvp-tempredis_0.0~git20231107.8a695b6-1_amd64.changes 
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/diffoscope/main.py", line 767, in main
sys.exit(run_diffoscope(parsed_args))
 ^^^
  File "/usr/lib/python3/dist-packages/diffoscope/main.py", line 718, in 
run_diffoscope
difference = compare_root_paths(path1, path2)
 
  File 
"/usr/lib/python3/dist-packages/diffoscope/comparators/utils/compare.py", line 
69, in compare_root_paths
difference = compare_files(file1, file2)
 ^^^
  File 
"/usr/lib/python3/dist-packages/diffoscope/comparators/utils/compare.py", line 
149, in compare_files
return file1.compare(file2, source)
   
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/debian.py", line 
275, in compare
differences = super().compare(other, *args, **kwargs)
  ^^^
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/utils/file.py", 
line 532, in compare
difference = self._compare_using_details(other, source)
 ^^
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/utils/file.py", 
line 467, in _compare_using_details
details.extend(
  File 
"/usr/lib/python3/dist-packages/diffoscope/comparators/utils/container.py", 
line 197, in compare_pair
difference = compare_files(
 ^^
  File 
"/usr/lib/python3/dist-packages/diffoscope/comparators/utils/compare.py", line 
149, in compare_files
return file1.compare(file2, source)
   
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/utils/file.py", 
line 532, in compare
difference = self._compare_using_details(other, source)
 ^^
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/utils/file.py", 
line 467, in _compare_using_details
details.extend(
  File 
"/usr/lib/python3/dist-packages/diffoscope/comparators/utils/container.py", 
line 197, in compare_pair
difference = compare_files(
 ^^
  File 
"/usr/lib/python3/dist-packages/diffoscope/comparators/utils/compare.py", line 
149, in compare_files
return file1.compare(file2, source)
   
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/utils/file.py", 
line 532, in compare
difference = self._compare_using_details(other, source)
 ^^
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/utils/file.py", 
line 467, in _compare_using_details
details.extend(
  File 
"/usr/lib/python3/dist-packages/diffoscope/comparators/utils/container.py", 
line 197, in compare_pair
difference = compare_files(
 ^^
  File 
"/usr/lib/python3/dist-packages/diffoscope/comparators/utils/compare.py", line 
149, in compare_files
return file1.compare(file2, source)
   
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/utils/file.py", 
line 532, in compare
difference = self._compare_using_details(other, source)
 ^^
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/utils/file.py", 
line 467, in _compare_using_details
details.extend(
  File 
"/usr/lib/python3/dist-packages/diffoscope/comparators/utils/container.py", 
line 197, in compare_pair
difference = compare_files(
 ^^
  File 
"/usr/lib/python3/dist-packages/diffoscope/comparators/utils/compare.py", line 
149, in compare_files
return file1.compare(file2, source)
   
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/utils/file.py", 
line 532, in compare
difference = self._compare_using_details(other, source)
 ^^
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/utils/file.py", 
line 433, in _compare_using_details
details.extend(self.compare_details(other, source))
   ^^^
  File "/usr/lib/python3/dist-packages/diffoscope/comparators/rdata.py", line 
166, in

Bug#1066121: ionos 5/6/15/16 loosing network

2024-03-13 Thread Holger Levsen

[22:39] * | h01ger filed a bug about 5/6/15/16 loosing network now
[22:40] * | mapreri ponders the accuracy: the link was still up, so perhaps it 
only lost the IP somehow?
[22:40]  next time I will look up the dhcp lease if there is anything 
odd
[22:40]  mapreri: that pondering could be the right direction..
[11:03]  mapreri: and ionos5+15 are gone again..


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"Any fool can know. The point is to understand." - A. Einstein 


signature.asc
Description: PGP signature

Bug#1066186: setup mastadon2irc bot

2024-03-13 Thread Holger Levsen

package: jenkins.debian.org

not strictly a jenkins.d.o topic, but it would be nice to have mastadon
mentions on #reproducible-builds again in that channel.

https://github.com/hackspace-marburg/troet

is a Mastodon plugin for Sopel IRC bots, sopel is available in Debian.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If it feels like we’re breaking climate records every year, it’s because we are.


signature.asc
Description: PGP signature

Bug#1066122: ionos3 configured twice

2024-03-12 Thread Holger Levsen

package: jenkins.debian.org

some cleanup needs to be done here, we dont need two hosts.

also twitter is dead, so maybe not even one.

though maybe we wanted a mastadon bot?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

I miss the old days were billionaires’ vanity projects were to build 1000 public
libraries or giant music venues.


signature.asc
Description: PGP signature

Bug#1066121: ionos 5/6/15/16 loosing network

2024-03-12 Thread Holger Levsen

package: jenkins.debian.org

(this has been ongoing for month already)

< h01ger> mapreri: i think we need to put restarting network into some sort of 
'cronjob' (probably only if network is down), ionos5 is been gone since several 
hours and thus half the amd64 builders are down now
< h01ger> not sure how to test if network is up, ping -c 1 8.8.8.8 ?
< mapreri> fwiw, testing the network is actually this very easy:
< mapreri> mattia@ionos5-amd64 ~ % ip -br a
< mapreri> lo   UNKNOWN127.0.0.1/8 ::1/128
< mapreri> eth0 UP fe80::1:5dff:fedf:3b89/64
< mapreri> mattia@ionos5-amd64 ~ % sudo service networking restart
< mapreri> mattia@ionos5-amd64 ~ % ip -br a
< mapreri> lo   UNKNOWN127.0.0.1/8 ::1/128
< mapreri> eth0 UP 85.184.249.130/32 
fe80::1:5dff:fedf:3b89/64
< mapreri> mattia@ionos5-amd64 ~ % 
< mapreri>  
< mapreri> but still, I'd really really prefer to figure out what's happening 
inside those 4 affected hosts :(
< h01ger> what are the 4 nodes?
< h01ger> all ionos/ffm datacenter?
< h01ger> (ffm=frankfurt/main)
< mapreri> yes
< mapreri> 5 6 15 16
 * | h01ger will file a bug using this irc log
< mapreri> today it seems to be only 5, for whatever reason.
< h01ger> i think i might have seen 2+12 loosing network too, but that might 
have been other i386 related failures. i dont think i've seen this with 1+11
< mapreri> (fwiw, `ip -br -4 a show dev eth0` is currently the shortest command 
I use to get a parsable ip4 address)
< h01ger> s#i dont think i've seen this with 1+11#i haven't seen this with 1+11#
< h01ger> those addresses are assigned by dhcp, arent they?
< mapreri> they are
< h01ger> hmm
< mapreri> but it doesn't happen with 3 7 10 that are also there
< mapreri> so I don't think we can blame ionos
< h01ger> in ffm you mean
< mapreri> yep
< h01ger> nods


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Manchmal kommt der Wind von Lee. (Konny)


signature.asc
Description: PGP signature

Bug#1059479: r-b CI tests very slow

2024-03-12 Thread Holger Levsen

On Tue, Dec 26, 2023 at 05:50:47PM +, Holger Levsen wrote:
> packages tested on average per day in the last week   596 3484482 
> 348
> packages tested on average per day in the last 4 weeks774 4351
> 546 339
> packages tested on average per day in the last 3 months 1018  2987916 
> 359
> packages tested on average per day in the last year   144618621331
> 658

update from today, 12:04 UTC

packages tested yesterday (2024-03-11)  687 960 226 321
packages tested today (2024-03-12)  263 1524181 196
packages tested in the last 24h 633 1909339 451
packages tested on average per day in the last week 607 105274  
95
packages tested on average per day in the last 4 weeks  181 174888  
67
packages tested on average per day in the last 3 months 379 2282
296 217
packages tested on average per day in the last year 104918401036
523

update from today, 16:04 UTC

packages tested yesterday (2024-03-11)  689 961 226 321
packages tested today (2024-03-12)  368 2419299 248
packages tested in the last 24h 601 2721449 425
packages tested on average per day in the last week 625 120394  
103
packages tested on average per day in the last 4 weeks  183 176192  
68
packages tested on average per day in the last 3 months 380 2283
297 217
packages tested on average per day in the last year 104818421035
522

since Saturday we, mostly Mattia, made some relevant changes how we run our
build service (basically now >100 slices, compared to 1 before), so now oomd is
killing the build service and thus all builds several times a day. since 2h
all workers are enabled again, before we were running with less.

so let's revisit this in a week and in 4 weeks. :)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

wirklicher reichtum ist nicht privatjet fliegen, sondern sich vor dem schützen
können, was privatjet fliegen auslöst." <3 böhmermann am 3.2.23


signature.asc
Description: PGP signature

Bug#1063376: How to ask efficiently for removal of 32 bit architectures of about 40 packages (Was: reverse dependenc)

2024-03-11 Thread Holger Levsen

On Mon, Mar 11, 2024 at 08:26:40PM +, Holger Levsen wrote:
>   do mutt -s "RM: remove $package" -i tmpfile $package

the 2nd $package in that line must be sub...@bugs.debian.org


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

“We live in capitalism. Its power seems inescapable. So did the divine right
 of kings. Any human power can be resisted and changed by human beings.
 Resistance and change often begin in art, and very often in our art, the art
 of words.” ― Ursula K. Le Guin


signature.asc
Description: PGP signature

Bug#1063376: How to ask efficiently for removal of 32 bit architectures of about 40 packages (Was: reverse dependenc)

2024-03-11 Thread Holger Levsen

On Mon, Mar 11, 2024 at 09:12:30PM +0100, Andreas Tille wrote:
> I hope there is some better solution than sending single bug reports
> for those packages.  If ftpmaster tooling really needs single bug
> reports I wonder how I can automatically create such bug reports with
> always the same text, just targeting at different binary packages.
> 
> This also should include some means to work around the less than 5
> bug reports per hour SPAM protection means of BTS.

foo="bin1
bin2
bin3"

$file=/some/path/to/bugreport_without_package_line.txt
tmpfile=$(mktemp)

for package in $foo ; do
( echo "package: $package" ;
  cat $file ) > $tmpfile
do mutt -s "RM: remove $package" -i tmpfile $package
sleep 15m
done
rm $tmpfile

with 40 packages this is just a 10h running script ;)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If you’re going through hell, keep going!


signature.asc
Description: PGP signature

Bug#1065463: debootstrap can deal with native dpkg file replacement feature

2024-03-05 Thread Holger Levsen

On Tue, Mar 05, 2024 at 08:36:59AM +0800, Steven Shiau wrote:
> debootstrap should be able to solve the libuuid1t64 dependency by installing
> libuuid1 only.

just in case you are not aware, bootstrapping using either mmdebstrap or
cdebootstrap works atm. mmdebstrap is faster and mostly a drop-in replacement.
(same applies to cdebootstrap but its less faster :)

daily tests are available at:

https://jenkins.debian.net/job/reproducible_debootstrap_unstable/
https://jenkins.debian.net/job/reproducible_cdebootstrap_unstable/
https://jenkins.debian.net/job/reproducible_mmdebstrap_unstable/


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Where will you go when you become a climate refugee?


signature.asc
Description: PGP signature

Bug#1049716: some analysis

2024-03-02 Thread Holger Levsen

hi,

after *one* build I see:

$ git status
On branch master
Your branch is up to date with 'origin/master'.

Changes not staged for commit:
  (use "git add ..." to update what will be committed)
  (use "git restore ..." to discard changes in working directory)
modified:   documentation/audacity/audacity-manual.fr.po
modified:   documentation/audacity/audacity-manual.ja.po
modified:   documentation/audacity/audacity-manual.nb-no.po
modified:   documentation/audacity/audacity-manual.nl.po
modified:   documentation/audacity/audacity-manual.pl.po
modified:   documentation/audacity/audacity-manual.pot
modified:   documentation/audacity/audacity-manual.pt-br.po
modified:   documentation/audacity/audacity-manual.pt-pt.po
modified:   documentation/audacity/audacity-manual.sv.po
modified:   documentation/audacity/audacity-manual.uk.po
modified:   documentation/audacity/audacity-manual.xml
modified:   documentation/audacity/audacity-manual.zh-cn.po
modified:   
documentation/debian-edu-bookworm/debian-edu-bookworm-manual.xml
modified:   
documentation/debian-edu-bullseye/debian-edu-bullseye-manual.it.po
modified:   
documentation/debian-edu-bullseye/debian-edu-bullseye-manual.xml
modified:   
documentation/debian-edu-itil/debian-edu-itil-manual.nb-no.po
modified:   documentation/debian-edu-itil/debian-edu-itil-manual.nl.po
modified:   documentation/debian-edu-itil/debian-edu-itil-manual.pot
modified:   documentation/debian-edu-itil/debian-edu-itil-manual.xml
modified:   
documentation/debian-edu-itil/debian-edu-itil-manual.zh-cn.po
modified:   documentation/rosegarden/rosegarden-manual.fr.po
modified:   documentation/rosegarden/rosegarden-manual.nb-no.po
modified:   documentation/rosegarden/rosegarden-manual.nl.po
modified:   documentation/rosegarden/rosegarden-manual.pot
modified:   documentation/rosegarden/rosegarden-manual.xml
modified:   documentation/rosegarden/rosegarden-manual.zh-cn.po

Untracked files:
  (use "git add ..." to include in what will be committed)
debian/debian-edu-doc-id/
debian/debian-edu-doc-pl/
debian/debian-edu-doc-pt/
debian/debian-edu-doc-sv/






$ git diff documentation/debian-edu-bookworm/debian-edu-bookworm-manual.xml
diff --git a/documentation/debian-edu-bookworm/debian-edu-bookworm-manual.xml 
b/documentation/debian-edu-bookworm/debian-edu-bookworm-manual.xml
index 0e3eeed8..647e90d4 100644
--- a/documentation/debian-edu-bookworm/debian-edu-bookworm-manual.xml
+++ b/documentation/debian-edu-bookworm/debian-edu-bookworm-manual.xml
@@ -1,4 +1,4 @@
-http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd;>Debian Edu / Skolelinux 12 Bookworm 
ManualPublish date:  

+http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd;>Debian Edu / Skolelinux 12 Bookworm 
ManualPublish date: 2024-02-26
 
 Manual for Debian Edu 12 Codename bookworm







$ git diff documentation/rosegarden/rosegarden-manual.pot
diff --git a/documentation/rosegarden/rosegarden-manual.pot 
b/documentation/rosegarden/rosegarden-manual.pot
index 0a0cc61f..f0b668e3 100644
--- a/documentation/rosegarden/rosegarden-manual.pot
+++ b/documentation/rosegarden/rosegarden-manual.pot
@@ -7,7 +7,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2020-10-06 00:01+0200\n"
+"POT-Creation-Date: 2024-03-01 13:04+\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME \n"
 "Language-Team: LANGUAGE \n"
@@ -1851,8 +1851,8 @@ msgstr ""
 
 #. type: Content of: 

 msgid ""
-"This controller select the different sound banks on your synth/keyboard \"LSB"
-"\" (fine) bank select"
+"This controller select the different sound banks on your synth/keyboard "
+"\"LSB\" (fine) bank select"
 msgstr ""
 
 #. type: Content of: 



-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Do yo ever think about how capitalism is forcing us to work up until the
eminent extinction of our species as the earth heats to an unlivable
temperature? (@aishamadeit)


signature.asc
Description: PGP signature

Bug#1032752: please drop transitional package gnupg-agent from src:gnupg2

2024-02-17 Thread Holger Levsen

On Sat, Feb 17, 2024 at 01:29:54PM +0100, Andreas Metzler wrote:
> Control: block -1 by 1064104 1064105 1064110 1064111 1064112 1064113 1064114 
> 1064115 1064116 1064118 1064117 1064119 1064120
> I have submitted bugs against packages in sid with
> Depends/Suggest/Recommends on gnupg-agent.

great, thank you!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Make earth cool again.


signature.asc
Description: PGP signature

Bug#1062259: libcomps: NMU diff for 64-bit time_t transition

2024-02-15 Thread Holger Levsen

On Wed, Feb 14, 2024 at 10:31:21AM -0800, Steve Langasek wrote:
> Well, these packages will be garbage collected from experimental upon the
> next upload of a package to unstable or experimental with a higher version;

which might happen next month or next year or in 2027...

> so this is a low priority vs the work to actually get the transition done
> successfully.

I'd appreciate if transitions would be less messy for random bystanders.
it takes you one email to ask for the removal of all errously uploaded
packages.

i'm not impressed.

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The planet we think we're living on no longer exists.

signature.asc
Description: PGP signature

Bug#1063736: snort removal from bullseye (Re: Bug#1063736: RM: snort -- RoQA; security issues, unmaintained)

2024-02-12 Thread Holger Levsen

clone 1063736 -1
reassign -1 debian-security-support
retitle -1 document snort situation in bullseye
thanks

hi,

On Sun, Feb 11, 2024 at 09:44:18PM +, Jonathan Wiltshire wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: rm
> 
> Requested by security team. Not in stable or testing.

once this has happened we should communicate this to our users via
debian-security-upload to bullseye.

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Deadly heatwaves, floods, storms, wildfires, droughts, crop failures... 
This is not “the new normal”. We’re at the very beginning of a climate and
ecological emergency, and extreme weather events will only become more and
more frequent.

signature.asc
Description: PGP signature

Bug#1063712: check-dfsg-status: integration of monthly cron job with systemd-cron

2024-02-11 Thread Holger Levsen

On Sun, Feb 11, 2024 at 07:39:41PM +0100, Alexandre Detiste wrote:
> > > PS: this need a not yet released systemd-cron to actually work.
> > any idea when it will be released?
> Now, we are both upstream & downstream, it's easy.

ok, please ping this bug once it's in trixie.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

I’ve said it once, and I’ll say it a thousand times: If the penalty for
breaking a law is a fine, then that law only exists for the poor.


signature.asc
Description: PGP signature

Bug#1063712: check-dfsg-status: integration of monthly cron job with systemd-cron

2024-02-11 Thread Holger Levsen

On Sun, Feb 11, 2024 at 04:32:58PM +0100, Alexandre Detiste wrote:
> Unless #1026287 "use systemd .timer unit instead of /etc/cron.monthly"
> got implemented, would it be possible to ship a
> tiny 2 lines "old-style-mail.conf"  drop-in systemd overide that
> overides how systemd-cron will style the monthly report ?
> 
> This drop-in would have no effect on Vixie cron or cronie.
 
sounds reasonable & thanks for the (almost) patch!

> PS: this need a not yet released systemd-cron to actually work.

any idea when it will be released?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Change is coming whether you like it or not.


signature.asc
Description: PGP signature

Bug#1062259: libcomps: NMU diff for 64-bit time_t transition

2024-02-07 Thread Holger Levsen

On Wed, Feb 07, 2024 at 04:25:17PM +, Luca Boccassi wrote:
> Control: tags -1 -pending
> Control: close -1
[...]
> There are no mentions of 'time_t' in the public headers of this
> library. The logs shows that it's a false positive, as the automated
> tool simply wasn't able to build it:
[...] 
> Closing as not applicable.

thanks for closing this bug and thanks for the t64 transition in the first 
place!
that said, someone needs to request the removal of src:libcomps from 
experimental
now, and if this would only affect src:libcomps I would probably do that myself,
but knowing there are several many cases of this: please also request removal of
those packages from experimental which were accidently uploaded there! thanks 
for
that too & already!

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The past is over.

signature.asc
Description: PGP signature

Bug#1062983: Developers Reference in A4 instead of US Letter

2024-02-05 Thread Holger Levsen

On Mon, Feb 05, 2024 at 11:00:42AM +0800, Paul Wise wrote:
> > I think for English at least I'd prefer to offer both A4 and letter, for eg
> > the German translation I think it's enough to only provide A4.
> Looks like that info can be gotten from the locales on glibc systems:
[...]

nice, thanks.

> For languages with one translation instead of one per dialect,
> you could produce documents in each of the unique sizes.

I don't understand, what do you mean with "one per dialect" here?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Cholera is over. It's safe to put sewage in our drinking water again.
(@stimmyskye)


signature.asc
Description: PGP signature

Bug#1062983: Developers Reference in A4 instead of US Letter

2024-02-04 Thread Holger Levsen

hi & thanks for filing this bug report!

On Sun, Feb 04, 2024 at 10:57:03AM +0100, Sebastian Geiger (Lanoxx) wrote:
> May I request, that:
> 
> a) We switch to A4 as the default format for the developers-reference
> since that is the format used by most of the world.
> b) We consider offering both formats on the Debian manuals page, so that
> users can choose their preferred format.

I think for English at least I'd prefer to offer both A4 and letter, for eg
the German translation I think it's enough to only provide A4.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

"I like beautiful people. I don't care about their looks."


signature.asc
Description: PGP signature

Bug#1062233: Acknowledgement (bookworm-pu: package debian-edu-doc/2.12.23~deb12u1)

2024-01-31 Thread Holger Levsen

On Wed, Jan 31, 2024 at 08:01:15PM +, Holger Levsen wrote:
> debdiff no attached. I've also uploaded already.
  now!
 
(the attachment was in my previous mail to this bug however.)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Imagine god created trillions of galaxies but freaks out because some dude
kisses another.


signature.asc
Description: PGP signature

Bug#1062233: bookworm-pu: package debian-edu-doc/2.12.23~deb12u1

2024-01-31 Thread Holger Levsen

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
x-debbugs-cc: debian-...@lists.debian.org

[ Reason ]
Documentation updates for the Debian Edu bookworm manual,
translations updates for the Debian Edu bookworm and bullseye manuals.

[ Impact ]
outdated documentation.

[ Risks ]
broken documentation updated human languages :)

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
This is the debdiff to what's in bookworm today:

 debian/changelog   
  |   61 
 debian/copyright   
  |2 
 debian/copyright.packaging 
  |2 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual-stripped.xml  
  |8 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.da.po 
  |   23 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.de.po 
  |   33 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.es.po 
  |   62 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.fr.po 
  |   33 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.it.po 
  |  339 -
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.ja.po 
  |   33 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.nb-no.po  
  |   23 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.nl.po 
  |   26 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pl.po 
  |   23 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pot   
  |   16 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pt-br.po  
  |  626 +
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pt-pt.po  
  |   33 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pt.add
  |2 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pt.po 
  |  663 +-
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.ro.po 
  | 4598 --
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.sv.po 
  |   23 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.uk.add
  |7 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.uk.po 
  | 8162 ++
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.xml   
  |8 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.zh-cn.po  
  |   23 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.zh-tw.po  
  | 6343 
 
documentation/debian-edu-bookworm/source/AllInOne-debian-edu-bookworm-manual.xml
 |7 
 documentation/debian-edu-bullseye/debian-edu-bullseye-manual.pt.add
  |2 
 documentation/debian-edu-bullseye/debian-edu-bullseye-manual.pt.po 
  |6 
 documentation/debian-edu-bullseye/debian-edu-bullseye-manual.ro.po 
  | 4500 +-
 documentation/debian-edu-bullseye/debian-edu-bullseye-manual.uk.add
  |6 
 documentation/debian-edu-bullseye/debian-edu-bullseye-manual.uk.po 
  | 7365 +++
 documentation/debian-edu-bullseye/debian-edu-bullseye-manual.zh-tw.po  
  | 7066 --
 32 files changed, 22400 insertions(+), 17724 deletions(-)


[ Other info ]
I'll attach the full debdiff wants this bugs has made it to the list.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

This is the year of gpg on the desktop! (Gunnar Wolf)


signature.asc
Description: PGP signature

Bug#1061983: bullseye-pu: package debian-security-support/1:11+2024.01.30

2024-01-30 Thread Holger Levsen

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-security-supp...@packages.debian.org
Control: affects -1 + src:debian-security-support

[ Reason ]
  * Add chromium to security-support-ended.deb11, thanks to Andres Salomon.
Closes: #1061268
  * Add tiles and libspring-java to security-support-limited. Closes: #1057343

[ Impact ]
Users might not learn that security support for some packages has ended.

[ Risks ]
trivial change, data-only update

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable



The diff is against the version already approved for+in bullseye-p-u:

 debian/.gitlab-ci.yml|   13 -
 debian/changelog |9 +
 security-support-ended.deb11 |4 +++-
 security-support-limited |2 ++
 4 files changed, 14 insertions(+), 14 deletions(-)

The .gitlab-ci.yml is desired and harmless.

The full diff is attached.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Es war mir eine Lehre, dich kennenzulernen.
diff -Nru debian-security-support-11+2023.12.11/debian/changelog debian-security-support-11+2024.01.30/debian/changelog
--- debian-security-support-11+2023.12.11/debian/changelog	2023-12-22 16:48:41.0 +0100
+++ debian-security-support-11+2024.01.30/debian/changelog	2024-01-30 17:55:19.0 +0100
@@ -1,3 +1,12 @@
+debian-security-support (1:11+2024.01.30) bullseye; urgency=medium
+
+  * Add chromium to security-support-ended.deb11, thanks to Andres Salomon.
+Closes: #1061268
+  * Add tiles and libspring-java to security-support-limited. Closes: #1057343
+  * Drop debian/.gitlab-ci.yml.
+
+ -- Holger Levsen   Tue, 30 Jan 2024 17:55:19 +0100
+
 debian-security-support (1:11+2023.12.11) bullseye; urgency=medium
 
   [ Santiago Ruano Rincón ]
diff -Nru debian-security-support-11+2023.12.11/debian/.gitlab-ci.yml debian-security-support-11+2024.01.30/debian/.gitlab-ci.yml
--- debian-security-support-11+2023.12.11/debian/.gitlab-ci.yml	2023-12-22 16:46:13.0 +0100
+++ debian-security-support-11+2024.01.30/debian/.gitlab-ci.yml	1970-01-01 01:00:00.0 +0100
@@ -1,13 +0,0 @@
-image: debian:unstable
-
-build: 
-  stage: build
-  
-  before_script:
-- apt-get update && apt-get -y install devscripts git-buildpackage
-- mk-build-deps --tool "apt -y -o Debug::pkgProblemResolver=yes --no-install-recommends" --install -r debian/control
-
-  script:
-- git checkout master
-- git pull
-- gbp buildpackage -uc -us
diff -Nru debian-security-support-11+2023.12.11/security-support-ended.deb11 debian-security-support-11+2024.01.30/security-support-ended.deb11
--- debian-security-support-11+2023.12.11/security-support-ended.deb11	2023-12-22 16:47:38.0 +0100
+++ debian-security-support-11+2024.01.30/security-support-ended.deb11	2024-01-30 17:51:03.0 +0100
@@ -10,6 +10,8 @@
 # 4. Descriptive text or URL with more details (optional)
 #In the program's output, this is prefixed with "Details:"
 
-tor  0.4.5.16-1  2023-11-22  https://lists.debian.org/debian-security-announce/2023/msg00258.html
+chromium 120.0.6099.224-1~deb11u12024-01-23  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061268
 consul   1.8.7+dfsg1-2   2023-12-04  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057418
 xen  4.14.5+94-ge49571868d-1 2023-09-30  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053246
+tor  0.4.5.16-1  2023-11-22  https://lists.debian.org/debian-security-announce/2023/msg00258.html
+
diff -Nru debian-security-support-11+2023.12.11/security-support-limited debian-security-support-11+2024.01.30/security-support-limited
--- debian-security-support-11+2023.12.11/security-support-limited	2023-12-22 16:47:38.0 +0100
+++ debian-security-support-11+2024.01.30/security-support-limited	2024-01-30 17:55:19.0 +0100
@@ -15,6 +15,7 @@
 gnupg1  See #982258 and https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg
 kde4libskhtml has no security support upstream, only for use on trusted content
 khtml   khtml has no security support upstream, only for use on trusted content, see #1004293
+libspring-java  should be only used for building other Debian packages or in a secured local environment with trusted devices.
 mozjs68 Not covered by security support, only suitable for trusted content, see #959804
 mozjs78 Not covered by security support, only suitable for trusted content, see #9598

Bug#1057527: munin: FTBFS with default Java 21

2024-01-30 Thread Holger Levsen

On Tue, Jan 30, 2024 at 11:57:07AM +1300, Vladimir Petko wrote:
>   Would it be possible to consider a merge request[1] that addresses this 
> issue?
 
yes, thanks for your patch. I'll upload some time in February...


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Because things are the way they are, things will not stay the way they are.
(Bertolt Brecht)


signature.asc
Description: PGP signature

Bug#1061487: bookworm-pu: package rpm/4.18.0+dfsg-1+deb12u1

2024-01-25 Thread Holger Levsen

On Thu, Jan 25, 2024 at 02:39:03PM +0200, Peter Pentchev wrote:
> [ Impact ]
> Users who upgrade from RPM 4.16.0 or earlier to 4.18.0 cannot use
> their database of packages already installed via RPM.

IOW, qubes 4.x users:

https://github.com/QubesOS/qubes-issues/issues/8482
"Dom0 updates fail when update qube is based on Debian 12 or Whonix 17"


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Bananas are berries.


signature.asc
Description: PGP signature

Bug#1061258: rpm: enable read-only BerkeleyDB backend for bookworm?

2024-01-25 Thread Holger Levsen

On Thu, Jan 25, 2024 at 03:36:30PM +0200, Peter Pentchev wrote:
> FWIW, I just filed #1061487 with the proposed stable update.

awesome. and fwiw, the attached patch there looks sensible to me! ;)



-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Very hard to relate to those who think the first three years of the pandemic
were bad because they couldn’t go to bars for a while, as opposed to because
25 million people died, 400 million were disabled, and many more continue to
be unable to access public space.


signature.asc
Description: PGP signature

Bug#1061258: rpm: enable read-only BerkeleyDB backend for bookworm?

2024-01-22 Thread Holger Levsen

Hi Peter,

On Mon, Jan 22, 2024 at 07:49:53PM +0200, Peter Pentchev wrote:
> Yes, I did fully intend to submit it for stable-updates after it had
> spent a couple of days in unstable and possibly migrated to
> testing. Thanks, though - for all you knew, I had not even
> considered it, so thanks for the reminder, 

awesome, thanks already! And please do reach out if you need any help
with that!

> and thanks for all
> your work on Debian.

uhm, thanks, *blushes*. :)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

No mas pobres en un pais rico!


signature.asc
Description: PGP signature

Bug#1061258: rpm: enable read-only BerkeleyDB backend for bookworm?

2024-01-22 Thread Holger Levsen

hi,

from reading the d/changelog entry "Enable the read-only BerkeleyDB backend.
Closes: #1061258" it sounds like it should be possible to have this fix
in bookworm too, via the upcoming point release?!

I think it would qualify, as it's breaking updating Qubes dom0 via
a debian based update-vm (see 
https://github.com/QubesOS/qubes-issues/issues/8482)
which is a.) an important use-case and b.) a regression compared to bullseye.

What do you think?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

„Copyright is for losers ©™“ (Banksy)


signature.asc
Description: PGP signature

Bug#1054189: bullseye-pu: package debian-security-support/1:11+2023.10.17

2024-01-21 Thread Holger Levsen

hi!

On Fri, Dec 29, 2023 at 03:23:55PM +, Jonathan Wiltshire wrote:
> In the past this package has been released early via stable-updates; is
> that your intention this time, or can it wait until the next point release
> expected in February?

after having spent a bit too much time thinking about this I've came to the
conclusion that I think updates of d-s-s in stable and previous releases should
a.) always come with an announcement and b.) always come ASAP, whatever
that means in details.

Does that make sense to you too?

(for completeness: updates in unstable and testing should also be done ASAP
and without announcements.)

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

»Sieh, dass du Mensch bleibst. Mensch sein ist von allem die Hauptsache.
Und das heißt fest und klar und heiter sein, ja heiter, trotz alledem.«
(Rosa Luxemburg)

signature.asc
Description: PGP signature

Bug#1061153: ITP: sigsum-go -- tools for public and transparent logging of signed checksums

2024-01-21 Thread Holger Levsen

Hi Simon,

On Fri, Jan 19, 2024 at 05:32:05PM +0100, Simon Josefsson wrote:
> * URL : https://git.glasklar.is/sigsum/core/sigsum-go
>   Description : tools for public and transparent logging of signed 
> checksums
> 
>  The goal of Sigsum is to provide building blocks that can be used to
>  enforce public logging of signed checksums.

do you think this would be a suitable tool to publically log all checksums of
all Debian source and binary packages published?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Life may not be the party we hoped for, but while we're here we might as well
dance!


signature.asc
Description: PGP signature

Bug#1060422: partman-crypto: add support for new cryptsetup options for opal/sed

2024-01-15 Thread Holger Levsen

On Mon, Jan 15, 2024 at 10:46:14AM +, Luca Boccassi wrote:
> > huh, if there's a bug in the firmware to accidently store the encryption
> > key on the drive in plaintext, it doesn't cost anything extra.
> Sure, and if there's a bug in your CPU to accidentally reveal all
> kernel secrets to any unprivileged userspace process via sidechannels
> it doesn't cost anything extra either. Doesn't really mean much though
> for this case.

it's an unneeded additional attack vector.
 
> We aren't though - and the category includes me too of course. Nobody
> is going to spend $100 million dollars to hardware-backdoor my
> computer

yes, because several dozens are available much cheaper already.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The mark of a civilized man is the ability to look at a column of numbers and
weep. (Bertrand Russell)


signature.asc
Description: PGP signature

Bug#1060367: release.debian.org: RFC: Transitions check for dupload?

2024-01-15 Thread Holger Levsen

On Sun, Jan 14, 2024 at 10:06:44PM +0100, Guillem Jover wrote:
> Warning: Source package barnowl is part of ongoing transitions:
>   
>   
> (I think I'll be adding some generic way to skip specific hooks,
> because this is a common pattern among them, something like
> --skip-hooks=a,b and DUPLOAD_SKIP_HOOKS=a,b.)
> > Continue anyway? (yes/NO) 
 
/me likes!

Though I'm a dput user. :) So I also applause sorting this out with
dupload first and then filing wishbugs for dput & dput-ng!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The devel is in the details.


signature.asc
Description: PGP signature

Bug#1060422: partman-crypto: add support for new cryptsetup options for opal/sed

2024-01-15 Thread Holger Levsen

On Sun, Jan 14, 2024 at 08:37:30PM +, Luca Boccassi wrote:
> Most definitely wrong. If your threat model is "hardware vendor will
> spend hundreds of millions of dollars to get at me" then your cpu
> vendor, memory controller vendor, etc etc can do that too, so you
> better not use this nor any other type of hardware acceleration, ever.

huh, if there's a bug in the firmware to accidently store the encryption
key on the drive in plaintext, it doesn't cost anything extra.

> The good news is, if you are writing on a Debian bug tracker then you
> are not even remotely interesting enough for any hardware manufacturer
> to spend even a tiny fraction of that, so it's all good.

huh. the Snowden papers explicitly showed that sysadmins and developers
are being targeted, to go after "the real targets".

I originally didn't want to comment on this bug further, as I am ok
with the current wording but saying that people contributing to Debian
are "not even remotely interesting" is just wrong. 

(And the other framing about contributors with maybe minor contributions
is also rather wrong, but for other reasons.)

-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

These heat waves aren’t tragedies, they’re crimes. The fossil fuel industry
knew decades ago that this is what their pollution was causing, so they
spent billions to lie to the public and block climate action.

signature.asc
Description: PGP signature

Bug#1060422: partman-crypto: add support for new cryptsetup options for opal/sed

2024-01-12 Thread Holger Levsen

On Thu, Jan 11, 2024 at 07:55:18PM +, Luca Boccassi wrote:
> Thank you for the feedback, MR on Salsa is updated as described.

<3


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The average US president has been charged with 2 felonies: #45 with 91 and
the others with 0.


signature.asc
Description: PGP signature

Bug#1059480: r-b CI: some packages are tried several times...

2024-01-11 Thread Holger Levsen

hi,

sks is a frequent example of this, it seems:

root@jenkins:/var/log/reproducible-builds# ls -lart diffoscope_stamp_sks_*
[omitted results in 2023 even...]
-rw-r--r-- 1 jenkins jenkins 0 Jan  6 14:42 
diffoscope_stamp_sks_bookworm_amd64_1704552146
-rw-r--r-- 1 jenkins jenkins 0 Jan  7 22:22 
diffoscope_stamp_sks_bookworm_i386_1704666171
-rw-r--r-- 1 jenkins jenkins 0 Jan  7 22:47 
diffoscope_stamp_sks_bookworm_i386_1704667656
-rw-r--r-- 1 jenkins jenkins 0 Jan  8 00:52 
diffoscope_stamp_sks_bookworm_i386_1704675167
-rw-r--r-- 1 jenkins jenkins 0 Jan  8 02:58 
diffoscope_stamp_sks_bookworm_i386_1704682720
-rw-r--r-- 1 jenkins jenkins 0 Jan  8 03:10 
diffoscope_stamp_sks_bookworm_i386_1704683427
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 00:42 
diffoscope_stamp_sks_bookworm_i386_1704760931
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 04:26 
diffoscope_stamp_sks_bookworm_i386_1704774371
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 05:14 
diffoscope_stamp_sks_bullseye_i386_1704777292
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 05:26 
diffoscope_stamp_sks_bookworm_i386_1704778006
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 05:39 
diffoscope_stamp_sks_bullseye_i386_1704778753
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 07:06 
diffoscope_stamp_sks_bullseye_i386_1704784009
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 07:25 
diffoscope_stamp_sks_bookworm_i386_1704785134
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 07:37 
diffoscope_stamp_sks_bullseye_i386_1704785850
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 07:49 
diffoscope_stamp_sks_bullseye_i386_1704786551
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 07:49 
diffoscope_stamp_sks_bookworm_i386_1704786555
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 08:01 
diffoscope_stamp_sks_bookworm_i386_1704787308
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 08:12 
diffoscope_stamp_sks_bullseye_i386_1704787978
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 08:23 
diffoscope_stamp_sks_bookworm_i386_1704788592
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 08:34 
diffoscope_stamp_sks_bookworm_i386_1704789247
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 08:34 
diffoscope_stamp_sks_bullseye_i386_1704789279
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 08:58 
diffoscope_stamp_sks_bullseye_i386_1704790696
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 09:08 
diffoscope_stamp_sks_bookworm_i386_1704791297
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 09:21 
diffoscope_stamp_sks_bullseye_i386_1704792106
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 10:05 
diffoscope_stamp_sks_bookworm_i386_1704794720
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 10:17 
diffoscope_stamp_sks_bullseye_i386_1704795424
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 10:30 
diffoscope_stamp_sks_bookworm_i386_1704796250
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 10:53 
diffoscope_stamp_sks_bullseye_i386_1704797633
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 11:07 
diffoscope_stamp_sks_bullseye_i386_1704798466
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 11:21 
diffoscope_stamp_sks_bookworm_i386_1704799292
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 11:35 
diffoscope_stamp_sks_bullseye_i386_1704800157
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 11:48 
diffoscope_stamp_sks_bookworm_i386_1704800908
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 11:53 
diffoscope_stamp_sks_bullseye_i386_1704801180
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 13:34 
diffoscope_stamp_sks_bullseye_i386_1704807262
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 13:47 
diffoscope_stamp_sks_bookworm_i386_1704808033
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 13:48 
diffoscope_stamp_sks_bullseye_i386_1704808109
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 14:23 
diffoscope_stamp_sks_bookworm_i386_1704810196
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 14:35 
diffoscope_stamp_sks_bullseye_i386_1704810917
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 14:46 
diffoscope_stamp_sks_bookworm_i386_1704811593
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 14:57 
diffoscope_stamp_sks_bullseye_i386_1704812234
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 15:09 
diffoscope_stamp_sks_bookworm_i386_1704812990
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 16:39 
diffoscope_stamp_sks_bullseye_i386_1704818375
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 16:50 
diffoscope_stamp_sks_bookworm_i386_1704819008
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 16:50 
diffoscope_stamp_sks_bullseye_i386_1704819026
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 17:03 
diffoscope_stamp_sks_bullseye_i386_1704819780
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 17:15 
diffoscope_stamp_sks_bookworm_i386_1704820528
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 18:19 
diffoscope_stamp_sks_bullseye_i386_1704824384
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 18:36 
diffoscope_stamp_sks_bookworm_i386_1704825380
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 19:17 
diffoscope_stamp_sks_bullseye_i386_1704827850
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 19:39 
diffoscope_stamp_sks_bookworm_i386_1704829171
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 20:03 
diffoscope_stamp_sks_bullseye_i386_1704830636
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 22:07 
diffoscope_stamp_sks_bookworm_i386_1704838055
-rw-r--r-- 1 jenkins jenkins 0 Jan  9 22:24 
diffoscope_stamp_sks_bullseye_i386_1704839063
-rw-r--r-- 1

Bug#1060422: partman-crypto: add support for new cryptsetup options for opal/sed

2024-01-11 Thread Holger Levsen

On Thu, Jan 11, 2024 at 11:56:28AM +, Luca Boccassi wrote:
[...]
> How about if I changed the Description from:
>  Self-encrypting disk (opal with LUKS2)
> to something like:
>  Firmware-backed self-encrypting disk (vendor-implemented OPAL with
> LUKS2)
> Would that suffice? If not, do you have an alternative wording in mind?

sounds much better (and sufficient, for all the reasons you mentioned)
to me, thanks!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

It's climate crime, not climate change.


signature.asc
Description: PGP signature

Bug#1060422: partman-crypto: add support for new cryptsetup options for opal/sed

2024-01-11 Thread Holger Levsen

On Thu, Jan 11, 2024 at 01:47:59AM +, Luca Boccassi wrote:
> cryptsetup 2.7.0, currently in experimental, added support for self
> encrypting drives using the OPAL functionality as the encryption layer
> (managed by the kernel, not by the TCG utilities), both in standalone
[...]
> I have added support for these new options in partman-crypto, MR on
> Salsa is open:
> 
> https://salsa.debian.org/installer-team/partman-crypto/-/merge_requests/7
> 
> The new options are shown only in the manual partitioning mode, and
> only if the kernel, cryptsetup and the device all support this
> functionality, otherwise they are hidden. A factory reset option for
> the disk is also exposed. A small utility to call the required ioctl to
> check for support on a given disk is added too.

doesnt OPAL functionality rely on the implementation on the hdd/sdd
and thus on non-free software? If so, I'd suggest to warn that it's
impossible to review the security of this.

also see https://wiki.archlinux.org/title/Self-encrypting_drives#Disadvantages

I'm not against adding this functionality per se, I just think it should
come with really big warning labels.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The people who refer to the pandemic in the past tense and climate change in
the future tense are the reason everything is going to shit.


signature.asc
Description: PGP signature

Bug#1059492: r-b CI: drop i386

2023-12-26 Thread Holger Levsen

package: jenkins.debian.org

To ease maintenance and to free ressources for testing amd64
and because Debian trixie will probably be released without an
i386 kernel (and without d-i too), I'd like to stop doing CI
builds for i386.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Stop saying that we are all in the same boat.
We’re all in the same storm. But we’re not all in the same boat.


signature.asc
Description: PGP signature

Bug#1059491: r-b CI: drop bullseye

2023-12-26 Thread Holger Levsen

package: jenkins.debian.org

To easy maintance, to use fewer ressources and to make individual
package pages a bit less confusing, I want to stop testing
bookworm. 

Bookworm test results for individual packages are still visible
in each package test history page.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The vision of self driving cars is nothing compared to the vision of no cars at 
all.


signature.asc
Description: PGP signature

Bug#1059489: r-b CI: run latest diffoscope again

2023-12-26 Thread Holger Levsen

package: jenkins.debian.org

Ever since debugging why jenkins.d.n rebooted frequently, we've been
doing Debian CI builds using diffoscope from bookworm. 

We should switch back to using diffoscope from unstable.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Homosexual behavior has been found in over 1,500 species. Homophobia is found
in only one.


signature.asc
Description: PGP signature

Bug#1059483: Acknowledgement (r-b CI: oom killer must not kill certain processes)

2023-12-26 Thread Holger Levsen

diffoscope and sshd are other processes which should not be killed.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The road to fascism is lined with people telling you to stop overreacting.


signature.asc
Description: PGP signature

Bug#1059488: /var/log/mail.log and .../syslog are filling up / sometimes

2023-12-26 Thread Holger Levsen

package: jenkins.debian.org

Once every while we are notified like this:

Fri Dec 22 11:05:01 UTC 2023 - Warning: too large files found in /var/log:
-rw-r- 1 root adm 33G Dec 22 11:05 /var/log/mail.log
-rw-r- 1 root adm 33G Dec 22 11:05 /var/log/syslog

And then, instead of fixing this properly, I just paper over

# rm /var/log/mail.log /var/log/syslog ; for i in postfix rsyslog ; do 
systemctl restart $i ; done

and move on. This bug is to remind me to fix this properly.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

It's not about saving the climate or the planet, it's about saving us, the
children and grandchildren. The planet will survive anyway.


signature.asc
Description: PGP signature

Bug#1059483: r-b CI: oom killer must not kill certain processes

2023-12-26 Thread Holger Levsen

package: jenkins.debian.org

Up until this week, we could see several cases of the oom killer
gone wild frequently:

- postgresql killed and stopped on jenkins
- squid being killed and stopped on codethink04
- jenkins, the service, restarted on jenkins

This week I've increased swap from 10g to 24g on the codethink nodes
and from 8g to 40g on jenkins.d.n, which helped and at least makes
the squid killings on codethink04 much rarer.

However, it's still happening and it should not happen.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

„Never argue with an idiot. They will drag you down to their level and beat
 you with experience.“ (Mark Twain)


signature.asc
Description: PGP signature

Bug#1059482: r-b: missing .buildinfo files from bookworm

2023-12-26 Thread Holger Levsen

package: jenkins.debian.org

https://tests.reproducible-builds.org/debian/bookworm/amd64/index_no_buildinfos.html
lists 45 missing .buildinfo files for bookworm

src:bind9 pkgs:1:9.18.19-1~deb12u1 / .buildinfo
src:cjose pkgs:0.6.2.1-1+deb12u1 / .buildinfo
src:curl pkgs:7.88.1-10+deb12u4 / .buildinfo
src:ffmpeg pkgs:7:5.1.4-0+deb12u1 / .buildinfo
src:frr pkgs:8.4.4-1.1~deb12u1 / .buildinfo
src:glibc pkgs:2.36-9+deb12u3 / .buildinfo
src:grub2 pkgs:2.06-13+deb12u1 / .buildinfo
src:gst-plugins-bad1.0 pkgs:1.22.0-4+deb12u3 / .buildinfo
src:libcue pkgs:2.2.1-4+deb12u1 / .buildinfo
src:librsvg pkgs:2.54.7+dfsg-1~deb12u1 / .buildinfo
src:libvpx pkgs:1.12.0-1+deb12u2 / .buildinfo
src:libwebp pkgs:1.2.4-0.2+deb12u1 / .buildinfo
src:libx11 pkgs:2:1.8.4-2+deb12u2 / .buildinfo
src:libxnvctrl pkgs:525.85.05-3~deb12u1 / .buildinfo
src:libxpm pkgs:1:3.5.12-1.1+deb12u1 / .buildinfo
src:lldpd pkgs:1.0.16-1+deb12u1 / .buildinfo
src:llvm-toolchain-16 pkgs:1:16.0.6-15~deb12u1 / .buildinfo
src:lorene pkgs:0.0.0~cvs20161116+dfsg-1 / .buildinfo
src:maria pkgs:1.3.5-4.1 / .buildinfo
src:mediawiki pkgs:1:1.39.5-1~deb12u1 / .buildinfo
src:mosquitto pkgs:2.0.11-1.2+deb12u1 / .buildinfo
src:nghttp2 pkgs:1.52.0-1+deb12u1 / .buildinfo
src:node-babel7 pkgs:7.20.15+ds1+~cs214.269.168-3+deb12u1 / .buildinfo
src:node-browserify-sign pkgs:4.2.1-3+deb12u1 / .buildinfo
src:ntpsec pkgs:1:4.2.8p15+dfsg-2~1.2.2+dfsg1-1+deb12u1 / .buildinfo
src:ntpsec pkgs:1.2.2+dfsg1-1+deb12u1 / .buildinfo
src:orthanc pkgs:1.10.1+dfsg-2+deb12u1 / .buildinfo
src:pmix pkgs:4.2.2-1+deb12u1 / .buildinfo
src:postgresql-15 pkgs:15.5-0+deb12u1 / .buildinfo
src:python-django pkgs:3:3.2.19-1+deb12u1 / .buildinfo
src:rabbitmq-server pkgs:3.10.8-1.1+deb12u1 / .buildinfo
src:roundcube pkgs:1.6.4+dfsg-1~deb12u1 / .buildinfo
src:ruby-rinku pkgs:1.7.3-2 / .buildinfo
src:samba pkgs:2:4.17.12+dfsg-0+deb12u1 / .buildinfo
src:samba pkgs:2:2.6.2+samba4.17.12+dfsg-0+deb12u1 / .buildinfo
src:slurm-wlm pkgs:22.05.8-4+deb12u1 / .buildinfo
src:strongswan pkgs:5.9.8-5+deb12u1 / .buildinfo
src:testng7 pkgs:7.5-2~deb12u1 / .buildinfo
src:thunderbird pkgs:1:115.5.0-1~deb12u1 / .buildinfo
src:tiff pkgs:4.5.0-6+deb12u1 / .buildinfo
src:tor pkgs:0.4.7.16-1 / .buildinfo
src:trafficserver pkgs:9.2.3+ds-1+deb12u1 / .buildinfo
src:vlc pkgs:3.0.20-0+deb12u1 / .buildinfo
src:wireshark pkgs:4.0.11-1~deb12u1 / .buildinfo
src:zookeeper pkgs:3.8.0-11+deb12u1 / .buildinfo

three of them are the same as in trixie, the others are all coming
from deb12uX uploads.

Further investigation is needed to find out why.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The system isn't broken. It was built this way.


signature.asc
Description: PGP signature

Bug#1059481: r-b: missing .buildinfo files from trixie

2023-12-26 Thread Holger Levsen

package: jenkins.debian.org

https://tests.reproducible-builds.org/debian/trixie/amd64/index_no_buildinfos.html
lists three missing .buildinfo files for trixie:

src:lorene pkgs:0.0.0~cvs20161116+dfsg-1 / .buildinfo
src:maria pkgs:1.3.5-4.1 / .buildinfo
src:ruby-rinku pkgs:1.7.3-2 / .buildinfo

These should be fixed with sourceful uploads of these packages. Their
last uploads were all in 2016... (=before dpkg produced .buildinfo
files.)


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

the US had open borders before 1924. when people say "my grandparents came here
legally" they mean "they bought a boat ticket and showed up" because visas,
green cards and requirements of passports didn't exist. (@OneRadChee)


signature.asc
Description: PGP signature

Bug#1059480: r-b CI: some packages are tried several times...

2023-12-26 Thread Holger Levsen

package: jenkins.debian.org

Hi,

each time before an unreproducible package is compared with
diffoscope, a stamp file is created, which is then removed
after diffoscope was run. Thus I can see that sometimes a
package is tried again and again and again, until its eventually
not tried anymore.

this should not happen, a package should be tested once.

however, on jenkins.d.n in /var/log/reproducible-builds/
we can see these files:

diffoscope_stamp_sks_unstable_i386_1703308532
diffoscope_stamp_sks_unstable_i386_1703310265
diffoscope_stamp_sks_unstable_i386_1703315291
diffoscope_stamp_sks_unstable_i386_1703322870
diffoscope_stamp_sks_unstable_i386_1703323375
diffoscope_stamp_sks_unstable_i386_1703323755
diffoscope_stamp_sks_unstable_i386_1703324387
diffoscope_stamp_sks_unstable_i386_1703324844
diffoscope_stamp_sks_unstable_i386_1703325229
diffoscope_stamp_sks_unstable_i386_1703330688
diffoscope_stamp_sks_unstable_i386_1703331605
diffoscope_stamp_sks_unstable_i386_1703341082
diffoscope_stamp_sks_unstable_i386_1703341483
diffoscope_stamp_sks_unstable_i386_1703342267
diffoscope_stamp_sks_unstable_i386_1703350211
diffoscope_stamp_sks_unstable_i386_1703351571
diffoscope_stamp_sks_unstable_i386_1703361039
diffoscope_stamp_slic3r_unstable_arm64_1703159567
diffoscope_stamp_speedcrunch_unstable_arm64_1703152673
diffoscope_stamp_sympy_unstable_arm64_1703157290
diffoscope_stamp_sympy_unstable_arm64_1703164530
diffoscope_stamp_sympy_unstable_i386_1703157315
diffoscope_stamp_sympy_unstable_i386_1703164572
diffoscope_stamp_sympy_unstable_i386_1703172472
diffoscope_stamp_unknown-horizons_unstable_armhf_1703212506
diffoscope_stamp_unknown-horizons_unstable_i386_1703332822
diffoscope_stamp_unknown-horizons_unstable_i386_1703342200
diffoscope_stamp_unknown-horizons_unstable_i386_1703343474
diffoscope_stamp_unknown-horizons_unstable_i386_1703357148
diffoscope_stamp_virtuoso-opensource_unstable_amd64_1703276924
diffoscope_stamp_webkit2gtk_bookworm_amd64_1703151187
diffoscope_stamp_webkit2gtk_experimental_amd64_1703611488
diffoscope_stamp_webkit2gtk_trixie_i386_1703494426
diffoscope_stamp_xemacs21-packages_trixie_arm64_1703238854
diffoscope_stamp_xemacs21-packages_trixie_arm64_1703246085
diffoscope_stamp_xemacs21-packages_trixie_armhf_1703551009
diffoscope_stamp_xemacs21-packages_unstable_amd64_1703170315
diffoscope_stamp_xemacs21-packages_unstable_amd64_1703177304
diffoscope_stamp_xemacs21-packages_unstable_arm64_1703158396
diffoscope_stamp_xemacs21_trixie_armhf_1703551996
diffoscope_stamp_zabbix_trixie_arm64_1703247846
diffoscope_stamp_zabbix_unstable_amd64_1703243104
diffoscope_stamp_zabbix_unstable_amd64_1703252482
diffoscope_stamp_zabbix_unstable_arm64_1703190730


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The mark of a civilized man is the ability to look at a column of numbers and
weep. (Bertrand Russell)


signature.asc
Description: PGP signature

Bug#1059479: r-b CI tests very slow

2023-12-26 Thread Holger Levsen

package: jenkins.debian.org

Hi,

somehow there are far less packages being tested these days then
previously:

amd64   arm64   armhf   
i386
packages tested on average per day in the last week 596 3484482 
348
packages tested on average per day in the last 4 weeks  774 4351546 
339
packages tested on average per day in the last 3 months 10182987916 
359
packages tested on average per day in the last year 144618621331
658

only arm64, using newer hardware, achieves the amout of packages
we did a year ago. when looking at above numbers bear in mind
that the average for the last year is already skewed as the
current slowness is probably half a year old already...


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

No mas pobres en un pais rico!


signature.asc
Description: PGP signature

Bug#926388: status of this bug: #926388 / Stop adding the DebianEdu root CA to NSS shared database

2023-12-25 Thread Holger Levsen

On Mon, Dec 25, 2023 at 01:06:55PM +0100, Guido Berhoerster wrote:
> This commit is currently part of a draft MR: 
> https://salsa.debian.org/debian-edu/debian-edu-config/-/merge_requests/28
> The fix is only applicable for unstable and cannot be backported to bookworm.

thanks for the clarifications, Guido!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Everyone is entitled to their own opinion, but not their own facts.


signature.asc
Description: PGP signature

Bug#926388: status of this bug: #926388 / Stop adding the DebianEdu root CA to NSS shared database

2023-12-25 Thread Holger Levsen

control: tags -1 - pending
thanks

hi,

#926388 "let Firefox trust /etc/ssl/certs/ca-certificates.crt"
has been marked as pending with
https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4b63838ab777314d4611195f0be58c29203b8f1a
but this commit was never merged into the master branch, thus I'm
removing the pending tag now.

Do we need this for bookworm or is just cruft?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

We can send billionaires to space but not kids to fully funded public schools.


signature.asc
Description: PGP signature

Bug#1056222: bookworm-pu: package debian-edu-artwork/2.12.4-1~deb12u1

2023-12-23 Thread Holger Levsen

control: forcemerge -1 1057891
control: retitle -1 bookworm-pu: package debian-edu-artwork/2.12.4-1~deb12u1
thanks

Hi,

I've just uploaded debian-edu-artwork/2.12.4-1 to unstable and expect that we'd
want to at least update in bookworm to this. However I'm not sure which debdiff
you'd like to see, to the one in bookworm or the one in bookworm-pu?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The law, in its majestic equality, forbids the rich as well as the poor to
sleep under bridges, to beg in the streets, and to steal bread. (Anatole France)


signature.asc
Description: PGP signature

Bug#1057315: src:tiles added to security-support-limited.(13|12|11|10)

2023-12-23 Thread Holger Levsen

hi,

so I'm adding src:tiles to security-support-limited.(13|12|11|10),
as no removal is planned (and it's dead upstream etc).


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If you upload your address book to "the cloud", I don't want to be in it.


signature.asc
Description: PGP signature

Bug#1054189: bullseye-pu: package debian-security-support/1:11+2023.10.17

2023-12-22 Thread Holger Levsen

On Thu, Dec 21, 2023 at 08:59:31PM +, Jonathan Wiltshire wrote:
> > I've updated this update request for adding 3 more lines to
> > security-support-ended.deb11 (and updating d/changelog)
> Please go ahead.

thanks, uploaded.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

First they ignore you, then they laugh at you, and then it's too late.
Don't look up!


signature.asc
Description: PGP signature

Bug#1058589: developers-reference: please mention urgency=critical/emergency for completeness

2023-12-14 Thread Holger Levsen

control: reopen -1
control: reassign -1 debian-policy
control: retitle -1 please stop mentioning urgency=critical
thanks

On Wed, Dec 13, 2023 at 10:27:20PM +0100, Daniel Gröber wrote:
> On Wed, Dec 13, 2023 at 07:24:49PM +0000, Holger Levsen wrote:
> > I believe Debian policy should be changed then and not mention a severity
> > which is not used in practice.
> Easier said than done. I see debian-policy@d.o is already CCed on this bug
> so, opinions?

debian-policy@ has been cc: on this bug because developers-reference and
debian-policy share the same mailinglist.
 
> Doesn't policy document the reality that these urgency values are in fact
> usable? Do you not agree that britney does in fact support these? If I go
> ahead and upload a package with urgency=critical will this be REJECTed by
> ftp-master?

It will not be rejected but setting the urgency has little practical
relevance these days. You could also upload with urgency=low or urgency=high
and that would be the same in practice.

> If not they exist so why shouldn't they be documented in devref?

- because it will make people use them
- because people always think their issues are critical
- because using them will not have an effect
- because people will then complain that they have no effect
- because all of this is a waste of someones time.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

https://showyourstripes.info


signature.asc
Description: PGP signature

Bug#1058589: developers-reference: please mention urgency=critical/emergency for completeness

2023-12-13 Thread Holger Levsen

On Wed, Dec 13, 2023 at 07:04:01PM +0100, Daniel Gröber wrote:
> That's fine, but in that case this fact should be documented instead no?
> Right now there's confusion across the docs what criticality levels are
> available. Britney.conf and d-policy mention critical/emergency but nothing
> else even acknowledges they exist which is just confusing.

I believe Debian policy should be changed then and not mention a severity
which is not used in practice.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

half the worlds poor life in resource rich countries.
HOME: https://youtu.be/Eu6ieWI3yjI


signature.asc
Description: PGP signature

Bug#1054189: bullseye-pu: package debian-security-support/1:11+2023.10.17

2023-12-11 Thread Holger Levsen

control: retitle -1 bullseye-pu: package debian-security-support/1:11+2023.12.11
thanks

hi,

I've updated this update request for adding 3 more lines to
security-support-ended.deb11 (and updating d/changelog)

On Wed, Oct 18, 2023 at 04:46:44PM -0300, Santiago Ruano Rincón wrote:
> [ Reason ]
> The reasons for this proposed update are:
> * Fix two bugs already solved in bookworm (#986581 and #986333)
> * Include samba in the list of packages with limited support (#1053109).
> 
> Currently, because of #986581 and #986333, d-d-s's check-support-status
> silently ignores "golang*" packages, so users don't get any warning
> about their limited support status.

now also to add these 3 lines to security-support-ended.deb11:

tor  0.4.5.16-1  2023-11-22  
https://lists.debian.org/debian-security-announce/2023/msg00258.html
consul   1.8.7+dfsg1-2   2023-12-04  
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057418
xen  4.14.5+94-ge49571868d-1 2023-09-30  
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053246

 
> [ Impact ]
> Bullseye users will continue to don't get any warning about the limited
> support regarding the golang.* packages installed in their systems.
> 
> As for the samba-related change, without the upload, users will lose a
> change to get informed about its security support situation.
> 
> [ Tests ]
> The changes include tests to verify #986581 and #986333 have been fixed.
> I have also manually verified on a bullseye container how the current
> and the proposed packages behave, and I can confirm the issues are
> fixed, and I didn't identify any regression.
> 
> [ Risks ]
> The relevant code has been included in bookworm since its release. They
> were fully included in 1:12+2021.09.30:
> https://tracker.debian.org/news/1263114/accepted-debian-security-support-11220210930-source-into-unstable/
> 
> The only difference in check-suppor-status.in between the proposed
> update and bookworm is:
> 
> git diff HEAD bookworm -- check-support-status.in
> diff --git a/check-support-status.in b/check-support-status.in
> index 3ebf5e9..86b080a 100755
> --- a/check-support-status.in
> +++ b/check-support-status.in
> @@ -13,7 +13,7 @@ VERSION='[% VERSION %]'
>  # Oldest Debian version included in debian-security-support
>  DEB_LOWEST_VER_ID=9
>  # Version ID for next Debian stable
> -DEB_NEXT_VER_ID=12
> +DEB_NEXT_VER_ID=13
> 
>  if [ -z "$DEBIAN_VERSION" ] ; then
>  DEBIAN_VERSION="$(cat /etc/debian_version | grep '[0-9.]' | cut -d. -f1)"
> 
> So the risk of regression is miminum.
> 
> 
> Regarding the change of adding samba in the list of packages with
> limited support. That doesn't represent any risk.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> 
> From d/changelog:

the full new changelog is:

debian-security-support (1:11+2023.12.11) UNRELEASED-bullseye; urgency=medium

  [ Santiago Ruano Rincón ]
  * Mark samba support limited to non-AD DC uses cases (Closes: #1053109)
  * Drop version-based check (Closes: #986581) and update test suite
accordingly. Backport changes made by Sylvain Beucler.
  * Match ecosystems with limited support, test case updated. (Closes: #986333)
Backport changes by Sylvain Beucler.
* Use golang.* (as regex) instead of golang* in security-support-limited

   [ Salvatore Bonaccorso ]
   * Add tor to security-support-ended.deb11 Closes: #1056606.

   [ Moritz Muehlenhoff ]
   * Mark Consul as EOLed in Bullseye. Closes: #1057418.
   * Mark Xen as EOLed in Bullseye. Closes: #1053246.

 -- Santiago Ruano Rincón   Tue, 17 Oct 2023 13:08:20 
-0300



I haven't uploaded this yet but everything is ready in a git branch.

Thanks!


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Be careful when you follow the masses. Sometimes the "m" is silent.


signature.asc
Description: PGP signature

Bug#1057343: Processed: Re: Bug#1057315: tiles: CVE-2023-49735

2023-12-04 Thread Holger Levsen

Hi Salvatore,

thanks for your continous work on Debian security!

On Sun, Dec 03, 2023 at 08:03:05PM +, Debian Bug Tracking System wrote:
> > clone -1 -2 -3
> Bug #1057315 [src:tiles] tiles: CVE-2023-49735
> Bug 1057315 cloned as bugs 1057342-1057343
> > retitle -2 tiles: Add README.Debian.security to document support status
> > reassign -3 src:debian-security-support
> > retitle -3 Mark tiles as only supported for building applications shipped 
> > in Debian
 
ack & this starts when? with 3.0.7-4 in buster? or 20231204? or?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

I’ve said it once, and I’ll say it a thousand times: If the penalty for
breaking a law is a fine, then that law only exists for the poor.


signature.asc
Description: PGP signature

Bug#1057314: check-dfsg-status: package rename broke "reasons" functionality

2023-12-03 Thread Holger Levsen

On Sun, Dec 03, 2023 at 08:20:54PM +1100, Dmitry Smirnov wrote:
> Rename of the package from "vrms" broke important functionality.
> Formerly packages could install "reasons" file to 
> /usr/share/vrms/reasons/
> but since (redundant) package rename (for non-technical concerns), "reasons"

(the rename was technical, vrms was not opiniated like rms, but was following
DFSG all along. check the BTS!)

> are expected in
> /usr/share/check-dfsg-status/reasons/
> which broke this functionality for all packages that still install "reasons" 
> files to legacy location for vrms.

oh wow, TIL, thanks!

$ apt-file search vrms/reasons
bsdgames-nonfree: /usr/share/vrms/reasons/bsdgames-nonfree
cpio-doc: /usr/share/vrms/reasons/cpio-doc
cuneiform-common: /usr/share/vrms/reasons/cuneiform
d1x-rebirth: /usr/share/vrms/reasons/d1x-rebirth
d2x-rebirth: /usr/share/vrms/reasons/d2x-rebirth
nautilus-dropbox: /usr/share/vrms/reasons/nautilus-dropbox
tar-doc: /usr/share/vrms/reasons/tar-doc

while check-dfsg-status checks /usr/share/check-dfsg-status/reasons :/

I'll see how to address this.



-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The wrong Amazon is burning.


signature.asc
Description: PGP signature

Bug#1057103: Acknowledgement (bookworm-pu: package debian-edu-doc/2.12.20~deb12u1)

2023-11-29 Thread Holger Levsen

hi,

attached is the compressed debdiff. I've also uploaded the package to
bookworm in the meantime.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If nothing saves us from death, may love at least save us from life.


debian-edu-doc_2.12.20~deb12u1.diff.xz
Description: application/xz


signature.asc
Description: PGP signature

Bug#1057103: bookworm-pu: package debian-edu-doc/2.12.20~deb12u1

2023-11-29 Thread Holger Levsen

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
x-debbugs-cc: debian-...@lists.debian.org

[ Reason ]
Update to the latest version of the Debian Edu bookworm & bullseye manuals and
their translations. This update also adds a build-depends on inkscape which
will cause some PDFs for some languages to be build again.

[ Impact ]
Updated debian-edu-doc and translations. Some users will be happy about having
a PDF manual again too.

[ Tests ]
Build and smoke-tests.

[ Risks ]
Hardly any & definitly none for anyone not using the package.

 debian/changelog   
  |   38 
 debian/control 
  |1 
 debian/mail_stats_to_list  
  |5 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual-stripped.xml  
  |   42 +++--
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.da.po 
  |  118 ---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.de.po 
  |  124 +--
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.es.po 
  |  558 ---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.fr.po 
  |  118 ---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.it.po 
  |  368 ++
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.ja.po 
  |  118 ---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.nb-no.po  
  |  114 +++---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.nl.po 
  |  206 +++---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pl.po 
  |   95 +---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pot   
  |   88 ---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pt-br.po  
  |  776 
++-
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pt-pt.po  
  |  676 
--
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pt.po 
  |  704 
++---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.ro.po 
  |  104 ++---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.sv.po 
  |  699 
+++--
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.xml   
  |  133 +++-
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.zh-cn.po  
  |  124 +--
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.zh-tw.po  
  |   94 +--
 documentation/debian-edu-bookworm/images/installer-logo.svg
  |  177 ++
 
documentation/debian-edu-bookworm/source/AllInOne-debian-edu-bookworm-manual.xml
 |   97 +++-
 documentation/debian-edu-bullseye/debian-edu-bullseye-manual.es.po 
  |  599 
+++-
 documentation/debian-edu-bullseye/debian-edu-bullseye-manual.pt-br.po  
  |   16 +-
 26 files changed, 3943 insertions(+), 2249 deletions(-)



[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
(will do attach the 90kb compressed diff one the bug has made it to the 
list)
  [x] the issue is verified as fixed in unstable

[ Changes ]
 debian-edu-doc (2.12.20~deb12u1) bookworm; urgency=medium
 .
   * Upload to bookworm.
 .
 debian-edu-doc (2.12.20) unstable; urgency=medium
 .
   [ Translation updates ]
   * Bookworm manual:
 - Brasilian Portuguese: Fred Maranhão.
 - Italian: Claudio Carboncini.
 - Spanish: Francisco Javier Carro Orgeira.
   * Bullseye manual:
 - Brasilian Portuguese: Fred Maranhão.
 - Spanish:Eulalio Barbero Espinosa and Francisco Javier Carro Orgeira.
 .
   [ Holger Levsen ]
   * stop sending monthly mails about the bullseye edu manual
 .
 debian-edu-doc (2.12.19) unstable; urgency=medium
 .
   [ Holger Levsen ]
   * Update Debian Edu Bookworm manual from the wiki.
 .
   [ Guido Berhoerster ]
   * Add build-dependency on inkscape in order to converts SVGs, bringing back
 the PDF versions of the bookworm manuals.
 .
   [ Translation

Bug#1057057: debian-policy: Please make Checksums-Sha1 optional

2023-11-28 Thread Holger Levsen

hi,

snapshot.d.o also uses sha1 sums, at least internally, but I'd not
surprised if also for external verification. 


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Reporter: You're the first person ever to win two Olympic tennis gold medals.
That's an extraordinary feat, isn't it?
Andy Murray: I think Venus and Serena have won about four each.


signature.asc
Description: PGP signature

Bug#1055919: python-ansible-pygments: please make the build reproducible

2023-11-15 Thread Holger Levsen

On Wed, Nov 15, 2023 at 01:31:26PM +, Chris Lamb wrote:
> I would be more than willing to conclude that this is an issue in
> tests.reproducible-builds.org setup. However, I am actually seeing
> these test files when I build locally as well — and my patch
> consequently fixes the "problem". Moreover, I am not using the same
> setup as tests.reproducible-builds.org at all. (Can you confirm whether
> you see them when building locally?)

tests.r-b.o is using pbuilder, while the buildds use sbuild. what do you use?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Privacy is a Human Right. (Universal Declaration of Human Rights, article 12.)


signature.asc
Description: PGP signature

Bug#1055648: debian-edu-config: once trixie development started, remove cruft from pre-pkgsel

2023-11-09 Thread Holger Levsen

Package: debian-edu-config
Version: 2.13.x
Severity: wishlist

Dear Maintainer,

the attached patch should be applied once trixie development for Debian Edu has
started.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Cholera is over. It's safe to put sewage in our drinking water again.
(@stimmyskye)
From 7f048da3c15ee93d446bc33a716cf3d7a33a96dd Mon Sep 17 00:00:00 2001
From: Wolfgang Schweer 
Date: Tue, 7 Nov 2023 09:51:40 +0100
Subject: [PATCH 2/2] cleanup pre-pkgsel from cruft

---
 share/debian-edu-config/d-i/pre-pkgsel | 32 --
 1 file changed, 32 deletions(-)

diff --git a/share/debian-edu-config/d-i/pre-pkgsel b/share/debian-edu-config/d-i/pre-pkgsel
index 295b6528..7492687f 100644
--- a/share/debian-edu-config/d-i/pre-pkgsel
+++ b/share/debian-edu-config/d-i/pre-pkgsel
@@ -266,37 +266,6 @@ EOF
 fi
 }
 
-create_initial_localadmin_user() {
-LOCAL_USER_ID="localadmin"
-LOCAL_USER_GECOS="Local Administrator"
-LOCAL_USER_UIDNUMBER="1000"
-LOCAL_USER_PRIMGIDNUMBER="1000"
-
-LOCAL_USER_INGROUPS="$LOCAL_USER_INGROUPS adm sudo"
-
-if db_get passwd/root-password-crypted && [ "$RET" ] ; then
-	log "No clear text root password, unable to use it for creating the initial local user"
-else
-	# retrieve root password
-	db_get passwd/root-password
-	LOCAL_USER_PASSWD=$RET
-	# create initial local user
-	in-target /usr/sbin/addgroup --gid $LOCAL_USER_PRIMGIDNUMBER $LOCAL_USER_ID 1>&2 || true
-	in-target /usr/sbin/adduser --gid $LOCAL_USER_PRIMGIDNUMBER \
-		--firstuid $LOCAL_USER_UIDNUMBER \
-		--home /home/$LOCAL_USER_ID \
-		--shell /bin/bash \
-		--disabled-login \
-		--gecos "$LOCAL_USER_GECOS" $LOCAL_USER_ID 1>&2 || true
-	# add initial local user to some standard system groups
-	for group in ${LOCAL_USER_INGROUPS}; do
-		in-target /usr/sbin/adduser $LOCAL_USER_ID $group 1>&2 || true
-	done
-	# set password (batch mode)
-	in-target /bin/sh -c "echo ${LOCAL_USER_ID}:${LOCAL_USER_PASSWD} | /usr/sbin/chpasswd" 1>&2 || true
-fi
-}
-
 # Work around grub bug #712907 (see also bug #763580) by preseeding
 # grub-installer/choose_device to the disk used by /target/boot
 # This fix it for the most common case.
@@ -348,7 +317,6 @@ for p in $(echo $PROFILE | tr , " ") ; do
 case $p in
 	# Only do this for the networked tasks, not for standalone
 	Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal)
-	#create_initial_localadmin_user
 	in-target /usr/share/debian-edu-config/tools/preseed-ldap-kerberos
 	in-target /usr/share/debian-edu-config/tools/preseed-sitesummary
 
-- 
2.42.0



signature.asc
Description: PGP signature

Bug#1055647: debian-edu-config: On main server internal name resolving fails: /etc/resolv.conf is empty

2023-11-09 Thread Holger Levsen

Package: debian-edu-config
Version: 2.12.32
Severity: important

Dear Maintainer,

Wolfgang Schweer wrote:

On a main server, internal name resolving fails: /etc/resolv.conf is empty.
Reason is a wrong /etc/network/interfaces file, generated during installation.
In case the LTSP-server profile is chosen additionally, this file is rewritten
and a correct resolv.conf file is generated.

The d-i/pre-pgksel script writes nameserver and search entries concerning the
loopback interface. This used to work for more than a decade.
After ifupdown package changes, those entries are no longer evaluated; they
need to be moved to the eth0 interface to obtain a correct resolv.conf file.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If a monkey hoarded more bananas than it could eat, while most of the other
monkeys starved, scientists would study that monkey to figure out what the
heck was wrong with it. When humans do it, we put them on the cover of Forbes.


signature.asc
Description: PGP signature

Bug#1055534: sq-wot should stay a bit longer

2023-11-08 Thread Holger Levsen

hi,

in https://gitlab.com/sequoia-pgp/sequoia-wot/-/issues/50
Neal H. Walfield wrote 5 days ago:

begin quote
I think that long term, we should drop sq-wot, the CLI. Right now, it has one 
advance over the sq CLI: it implements gpg's trust model (--gpg-ownertrust). 
It's unclear whether we want to add that functionality to sq, and if so how to 
expose it. One possibility would be to add a gpg variant to the web of trust 
library (see #49) , and then have an option in sq to use an ownertrust db. But, 
I'm not so excited about that.
 end  quote


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

It ain't no revolution, just because you can dance to it.


signature.asc
Description: PGP signature

1 2 3 4 5 6 7 8 9 10 >

1 - 100 of 6829 matches

Mail list logo